Get in Touch
Indiscriminate, opportunistic targeting.
Cisco has disclosed details pertaining to the active exploitation of a security flaw in the Cisco IOS XE Web User Interface Software. The authentication bypass zero-day vulnerability, tracked as CVE-2023-20198 (CVSSv3 score: 10.0), impacts both physical and virtual devices running Cisco IOS XE Software that also have the HTTP or HTTPS Server feature enabled.
Successful exploitation of CVE-2023-20198 could allow a threat actor to create an account on the affected system with high privilege level access. This would grant full control of the compromised system, almost certainly resulting in the compromise of the integrity of data.
As of the time of writing, a security patch has yet to be released by Cisco for this vulnerability. As such, it is strongly recommended that the mitigation strategies provided are adhered to until a patch becomes available.
Cisco IOS XE Software
Containment, Mitigations & Remediations
Cisco recommends that users disable the HTTP Server feature on internet-facing systems to mitigate the risk of potential exploitation. Further details regarding the HTTP Server configuration can be found at the Cisco Advisory.
Indicators of Compromise
Administrators can implement the following investigations to determine whether or not a vulnerable system has been compromised:
- Analyse the system logs for the presence of any specific log messages where the user could be cisco_tac_admin, cisco_support or any configured local user that is unknown to the network administrator
- Analyse the system logs for messages whereby filenames are unknown and do not correlate with an expected file installation action.
Further details pertaining to the specific commands required to conduct these investigations can be found within the Cisco Advisory.
Cisco occupies a significant proportion of the enterprise network infrastructure market share. Given that threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on, Cisco products have become a prime target. Due to the fact that Cisco products have become an integral aspect of business operations, threat actors will continue to exploit vulnerabilities contained within the associated products in an attempt to extract the sensitive data contained therein.
No attribution to specific threat actors or groups has been identified at the time of writing.
TA0004 – Privilege Escalation