Cisco has issued an urgent warning about the active exploitation of a critical vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software.
The tech giant has urged affected organizations to immediately implement guidance set out in its advisory, published on October 16, to mitigate the threat.
The vulnerability, CVE-2023-20198, has the highest possible CVSS severity rating of 10. Successful exploitation enables an attacker to create an account on the affected device with a privilege 15 access. This effectively grants them full control of the compromised device, paving the way for subsequent unauthorized activity.
The flaw affects both physical and virtual devices running Cisco IOS XE software that also have the HTTP or HTTPS Server feature enabled.
The software must also be exposed to the internet or untrusted networks for exploitation to occur.
How Exploitation Occurs
Cisco Talos first discovered evidence of potentially malicious activity on a customer device from September 28 to October 1, 2023.
On October 12, the team detected an additional cluster of related activity, in which an unauthorized user was observed creating a local user account under the name ‘cisco_support’ from a second suspicious IP address.
This activity included several subsequent actions, such as the deployment of an implant consisting of a configuration file. The configuration file defines the new web server endpoint used to interact with the implant, and this endpoint receives certain parameters that allows the execution of arbitrary commands at the system level or IOS level.
The new user accounts created from this implant gives attackers full administrator access to the device.
Cisco believe that these clusters of activity were likely carried out by the same actor.
How to Mitigate the Vulnerability
Cisco set out the following recommendations for organizations using IOS XE software to mitigate against exploitation.
- Disable the HTTP Server feature on all internet-facing systems, which is consistent with guidance the US government has provided in the past on mitigating risk from internet-exposed management interfaces.
- Look for unexplained or newly created users on devices as evidence of potentially malicious activity relating to this threat. Cisco advised running the command curl ‘-k -X POST "https[:]//DEVICEIP/webui/logoutconfirm.html?logon_hash=1"’ against the device to identify if the implant is present.
- Continue monitoring Cisco’s advisory for further updates around exploitation and public announcements as more information becomes available.