Zero-Day Alert: Thousands of Cisco IOS XE Systems Now Compromised

Just a day after Cisco disclosed CVE-2023-20198, it remains unpatched, and one vendor says a Shodan scan shows at least 10,000 Cisco devices with an implant for arbitrary code execution on them. The vendor meanwhile has updated the advisory with more mitigation steps.

Zero-Day Alert: Thousands of Cisco IOS XE Systems Now Compromised
(Credit: znakki via Shutterstock)

A threat actor has already infected thousands of Internet exposed Cisco IOS XE devices with an implant for arbitrary code execution via an as-yet-unpatched maximum severity vulnerability in the operating system.

Cisco disclosed the flaw, identified as CVE-2023-20198, on Oct. 17, with a warning about exploit activity in the wild targeting the flaw. The bug, which has a severity rating of 10 out of 10 on the CVSS vulnerability-severity scale, is present in the Web UI component of IOS XE.

The company said it had observed an attacker using the vulnerability to gain administrator level privileges on IOS XE devices, and then, in an apparent patch bypass, abusing an older remote code execution (RCE) flaw from 2021 (CVE-2021-1435) to drop a Lua-language implant on affected systems.

Now, those attacks appear to have a global footprint.

Unpatched Bug Leads to 10K Infected Cisco Systems

Cisco's security advisory noted that the company had responded to reports of unusual activity tied to the flaw from multiple customers. But the actual scope of the infections appears to be a lot higher than what was apparent from the advisory.

Jacob Baines, CTO at VulnCheck says his company has fingerprinted at least 10,000 Cisco IOS XE systems with the implant on them — and that's from scanning just half of the affected devices that are visible on search engines such as Shodan and Censys.

"From what we can tell, it doesn't not appear to be localized," Baines says. "The IPs geolocate to a wide number of countries all over the globe."

Baines says it's somewhat difficult to determine if the attacks are opportunistic or targeted. On the one hand, opportunistic attacks often involve threat actors using publicly available or researcher-developed proof-of-concept (PoC) exploits.

But that's not what has happened with the activity targeted at CVE-2023-20198 so far, he says. "Not only did the attackers allegedly use a zero day — and perhaps a second patch bypass — but they also deployed a custom implant. That isn't opportunistic."

Yet at the same time, the sheer number of exploited systems suggests more of an indiscriminate approach, Baines says.

Read the rest of this article on Dark Reading.

Related articles:

About the Author(s)

Jai Vijayan, Contributing Writer, Dark Reading

Freelance writerJai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics including Big Data, Hadoop, Internet of Things, E-voting and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, IL.

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights