Home / Threat Intelligence bulletins / Actively exploited zero-day amongst the latest batch of disclosed Cisco vulnerabilities

Target Industry

Indiscriminate, opportunistic targeting.


Cisco has disclosed several security vulnerabilities within their latest patch release.

Firstly, a Cisco zero-day flaw in the IOS and IOS XE software has been actively exploited by threat actors in the wild. The vulnerability, tracked as CVE-2023-20109 (CVSS v3.1: 6.6), has originated from an inadequate attribute validation within the Group Domain of Interpretation (GDOI) and G-IKEv2 protocols of the GET VPN feature. Exploitation requires threat actors to have administrator privileges with control of a key server or a group member. Regardless of the required access for exploitation, threat actors have initiated attack campaigns, leveraging the security issue.

Five Cisco Catalyst SD-WAN Manager products’ vulnerabilities have also been discovered. CVE-2023-20252 (CVSS v3.1: 9.8) is the most serious of this category of flaws, successful exploitation of which could provide a threat actor with unauthorised access to the affected product as a result of Security Assertion Markup Language (SAML) API issues.

The remaining four have been classified with a lower severity level rating:

  • CVE-2023-20253 (CVSS v3.1: 8.4): Unauthorised configuration rollback due to CLI vulnerabilities
  • CVE-2023-20034 (CVSS v3.1: 7.5): Information disclosure vulnerability in Elasticsearch access control
  • CVE-2023-20254 (CVSS v3.1: 7.2): Authorisation bypass in the session management system
  • CVE-2023-20262 (CVSS v3.1: 5.3): DoS vulnerability in the SSH service


Successful exploitation of CVE-2023-20109 could allow a threat actor to execute arbitrary code and gain full control of the affected system or cause the affected system to reload, resulting in a denial-of-service (DoS) condition

Successful exploitation of CVE-2023-20252, CVE-2023-20253, CVE-2023-20034, CVE-2023-20254 and CVE-2023-20262 could allow an unauthenticated, remote threat actor to obtain unauthorised access to the application as an arbitrary user

Vulnerability Detection

Security patches for these vulnerabilities have been released by Cisco. Previous product versions therefore remain vulnerable to potential exploitation.

Affected Products

  • CVE-2023-20109: All Cisco products running a vulnerable IOS or IOS XE software version with either the GDOI or G-IKEv2 protocol enabled
  • CVE-2023-20252, CVE-2023-20253, CVE-2023-20034, CVE-2023-20254 and CVE-2023-20262: Cisco Catalyst SD-WAN Manager

Containment, Mitigations & Remediations

It is strongly recommended that users of the affected product version apply the latest available security patches as soon as possible. A list of the patches correlating to each of the vulnerabilities reported on can be found within the following Cisco Advisories:


CVE-2023-20252, CVE-2023-20253, CVE-2023-20034, CVE-2023-20254 and CVE-2023-20262

Indicators of Compromise

No specific Indicators of Compromise (IoCs) are available currently.

Threat Landscape

Cisco occupies a significant proportion of the enterprise network infrastructure market share. Given that threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on, Cisco products have become a prime target. Due to the fact that Cisco products have become an integral aspect of business operations, threat actors will continue to exploit vulnerabilities contained within the associated products in an attempt to extract the sensitive data contained therein.

Threat Group

No attribution to specific threat actors or groups has been identified at the time of writing.

Mitre Methodologies


TA0001 – Initial Access

TA0002 – Execution

Further Information

Cisco Advisory: CVE-2023-20109

Cisco Advisory: CVE-2023-20252, CVE-2023-20253, CVE-2023-20034, CVE-2023-20254 and CVE-2023-20262


An Intelligence Terminology Yardstick to showing the likelihood of events