overview

A vulnerability targeting the Cisco IOS XE operating system has been identified, leaving upwards of 80,000 internet-connected devices vulnerable to privilege escalation. Using the Web UI of Cisco IOS XE software while exposed to the internet allows attackers to create a local user account, plant malicious code to be executed on a reboot, and escalate the new user’s privilege level to the highest available (level 15). This vulnerability is being tracked as CVE-2023-20198. 

CVE-2023-20198 was discovered by Cisco on September 28th, when Cisco’s Technical Assistance Center (TAC) discovered the creation of a privileged account from a suspicious IP address on September 18th. Despite being patched in March of 2021, Cisco observed threat actors using an older vulnerability, CVE-2021-1435, to execute arbitrary code as the root user once a local account had been created. It is not known yet how they were able to accomplish this, and the threat actor responsible for these intrusions is yet unidentified. 

This vulnerability's relative ease of exploitation, together with the enormity of potential actions a threat actor could take with privilege level 15, poses a major threat to those affected. 

 

 

avertium's recommendationS

  • Disable the HTTP / HTTPS Server feature on any internet-facing Cisco IOS XE systems. 
  • Perform the checks listed by Cisco under the “Indicators of Compromise” section here. 

At this time, there are no workarounds or patches available for this vulnerability. We will continue to monitor the situation and will provide an update once patches become available. 

 

 

INDICATORS OF COMPROMISE (IoCs)

Cisco observed the following IP Addresses exploiting CVE-2023-20198: 

  • 5.149.249[.]74 
  • 154.53.56[.]231 
  • 38.60.199[.]10

They have also provided a list of checks to determine if your system may have been compromised. A full breakdown can be found here. For more information on how Avertium can help protect your organization, please reach out to your Avertium Service Delivery Manager or Account Executive.   

 

 

How Avertium is Protecting Our CUSTOMERS

Expanding endpoints, cloud computing environments, and accelerated digital transformation have decimated the perimeter in an ever-expanding attack surface. Avertium offers Attack Surface Management, so you’ll have no more blind spots, weak links, or fire drills. See every threat in your attack surface, every device, every entry point, and every vulnerability. Our Attack Surface Management services include: 

  • Risk Assessments 
  • Pen Testing and Social Engineering 
  • Infrastructure Architecture and Integration 
  • Zero Trust Network Architecture 
  • Vulnerability Management 







SUPPORTING DOCUMENTATION

Actively exploited Cisco 0-day with maximum 10 severity gives full network control (arstechnica.com) 

Cisco IOS XE Software Web UI Privilege Escalation Vulnerability (cisco.com) 

Cisco Devices Hacked via IOS XE Zero-Day Vulnerability (securityweek.com) 

Active exploitation of Cisco IOS XE Software Web Management User Interface vulnerability (talosintelligence.com) 

 

Chat With One of Our Experts




Cisco Vulnerabilities Flash Notice Cisco privilege escalation vulnerability Blog