On October 16, Cisco’s Talos group highlighted an active threat campaign exploiting a zero-day vulnerability, CVE-2023-20198, in the web UI component of Cisco IOS XE software. This software operates on a broad spectrum of Cisco networking devices. The exploitation of this vulnerability can lead to a total system takeover by an attacker.
What is CVE-2023-20198?
Cisco has issued a warning to admins regarding a high-severity zero-day authentication bypass vulnerability in its IOS XE software. This vulnerability allows unauthenticated attackers to attain full administrator privileges, enabling them to assume complete control of affected routers and switches from a remote location.
The company has designated this critical vulnerability as CVE-2023-20198 and has been said to affect exclusively devices with the Web User Interface (Web UI) feature activated, provided that the HTTP or HTTPS Server feature is also turned on. Cisco has also confirmed that this vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software is actively being exploited when the software is exposed to the internet or untrusted networks.
The successful exploitation of this vulnerability could enable an attacker to establish a privileged level 15 account on an affected device, effectively granting them complete control over the compromised device and enabling potential unauthorized actions.
First detected on September 28 by Cisco’s Technical Assistance Center (TAC), the attacks were in response to reports of unusual behavior on a customer’s device. Upon further investigation, Cisco identified related activities dating back to September 18. The malicious activities involved an authorized user creating a local user account with the username “cisco_tac_admin” from a suspicious IP address (5.149.249[.]74).
On October 12, the company uncovered additional activity associated with the exploitation of CVE-2023-20198. During this instance, a local user account named “cisco_support” was created from another suspicious IP address (154.53.56[.]231). The attackers also utilized malicious implants through CVE-2021-1435 exploits and other undisclosed methods to execute arbitrary commands at the system or IOS levels.
In its update, Cisco noted that “We believe these patterns of activity are likely the work of the same actor. Both sets of activity occurred in close proximity, with the October activity appearing to build upon the foundation laid in September… The first set of activity may have represented the actor’s initial testing and experimentation with their code, while the October activity suggests an expansion of their operation to establish persistent access by deploying the implant.”
Does it affect me?
Both vulnerabilities, which Cisco tracks as CSCwh87343, are in the web UI of Cisco devices running the IOS XE software. Currently the first fixed release available is 17.9.4a, with updates to be rolled out at an undisclosed date.
| Cisco IOS XE Software Release Train | First Fixed Release | Available |
| 17.9 | 17.9.4a | Yes |
| 17.6 | 17.6.6a | TBD |
| 17.3 | 17.3.8a | TBD |
| 16.12 (Catalyst 3650 and 3850 only) | 16.12.10a | TBD |
Has CVE-2023-20198 been actively exploited in the wild?
Initial estimates indicated that approximately 10,000 vulnerable Cisco IOS XE devices had been compromised by the middle of last week, with this number surging to over 40,000 within a few days as more researchers joined the investigation. On October 20, Cisco revealed the existence of this second zero-day exploit within the same campaign, enabling complete system control on devices running IOS XE software.
However, over the weekend, researchers observed a significant decline in the number of compromised Cisco IOS XE hosts targeted by the two zero-day vulnerabilities, plummeting from around 60,000 to just a few hundred. The precise cause of this abrupt reduction remains uncertain, but one hypothesis suggests that the attacker may have implemented an update to conceal their presence, rendering the malicious implants no longer detectable during scans.
Piotr Kijewski, the CEO of The Shadowserver Foundation, reported a sharp decline in the number of implants since October 21, with only 107 devices remaining visible.
Fixing CVE-2023-20198
Following a successful leverage of the zero-day security issues meant to compromise and take full control of more than 50,000 Cisco IOS XE hosts, the free software has released advisories and updates for the fixed software release, available at the company’s Software Download Center. The company warns that if the web UI (HTTP Server) feature of the device is turned on, both vulnerabilities can be exploited, possible through the ip http server or ip http secure-server commands.
As a first response to the critical security vulnerability known as CVE-2023-20198, Cisco has recommended specific mitigation measures to safeguard affected systems. The foremost step was to disable the HTTP server feature on internet-facing systems, effectively eliminating the attack vector and thwarting potential threats. Administrators were advised to check whether the feature is active by running the show running-config | include ip http server|secure|active command to check in the global configuration for the ip http server or the ip http secure-server Commands. “The presence of either command or both commands in the system configuration indicates that the web UI feature is enabled”, Cisco noted.
After disabling the HTTP Server feature, preserving the configuration is crucial to prevent its inadvertent reactivation during system reloads. In instances where both the HTTP and HTTPS servers are in use, both commands must be employed to disable the HTTP Server feature.
Next steps
Each new vulnerability is a reminder of where we stand, and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors:
