Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Zero-Day Alert: Thousands of Cisco IOS XE Systems Now Compromised

Cisco Exploit
(Credit: znakki via Shutterstock)

A threat actor has already infected thousands of Internet exposed Cisco IOS XE devices with an implant for arbitrary code execution via an as-yet-unpatched maximum severity vulnerability in the operating system.

Cisco disclosed the flaw, identified as CVE-2023-20198, on Oct. 17, with a warning about exploit activity in the wild targeting the flaw. The bug, which has a severity rating of 10 out of 10 on the CVSS vulnerability-severity scale, is present in the Web UI component of IOS XE.

The company said it had observed an attacker using the vulnerability to gain administrator level privileges on IOS XE devices, and then, in an apparent patch bypass, abusing an older remote code execution (RCE) flaw from 2021 (CVE-2021-1435) to drop a Lua-language implant on affected systems.

Now, those attacks appear to have a global footprint.

Unpatched Bug Leads to 10K Infected Cisco Systems

Cisco's security advisory noted that the company had responded to reports of unusual activity tied to the flaw from multiple customers. But the actual scope of the infections appears to be a lot higher than what was apparent from the advisory.

Jacob Baines, CTO at VulnCheck says his company has fingerprinted at least 10,000 Cisco IOS XE systems with the implant on them — and that's from scanning just half of the affected devices that are visible on search engines such as Shodan and Censys.

"From what we can tell, it doesn't not appear to be localized," Baines says. "The IPs geolocate to a wide number of countries all over the globe."

Baines says it's somewhat difficult to determine if the attacks are opportunistic or targeted. On the one hand, opportunistic attacks often involve threat actors using publicly available or researcher-developed proof-of-concept (PoC) exploits.

But that's not what has happened with the activity targeted at CVE-2023-20198 so far, he says. "Not only did the attackers allegedly use a zero day — and perhaps a second patch bypass — but they also deployed a custom implant. That isn't opportunistic."

Yet at the same time, the sheer number of exploited systems suggests more of an indiscriminate approach, Baines says.

Read the rest of this article on Dark Reading.

Related articles: