Cisco issues warning for critical 0-day vulnerability exploited in the wild

Update from October 23:  Cisco has released an updated version for the Cisco IOS XE 17.9 release train. The other supported releases are yet to be updated. We recommend that you update to version 17.9.4a (if possible), or follow the steps from the workaround provided below.

Cisco has issued a warning regarding a critical security vulnerability (CVE-2023-20198) affecting its IOS XE software. With a severity rating of 10.0 on the CVSS scoring system, the vulnerability grants remote attackers full administrator privileges on affected devices without authentication.

Cisco discovered this problem after detecting suspicious activity on a customer device where unauthorized user accounts were being created from suspicious IP addresses. There have been at least two “waves” of exploitation noted by Cisco, the latter in October. The company suspects the same threat actor is behind two sets of activities, with the first cluster possibly being a test, and the second indicating an expansion of their operations.

The issue specifically affects enterprise networking equipment with the Web UI feature enabled and exposed to the internet or untrusted networks. Both physical and virtual devices running Cisco IOS XE are impacted if they have the HTTP or HTTPS server feature enabled. To mitigate the risk, it is advised to disable the HTTP server feature on systems facing the internet.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory and added this vulnerability to the Known Exploited Vulnerabilities (KEV) catalog. In April 2023, U.K. and U.S. intelligence agencies warned of state-sponsored campaigns targeting global network infrastructure, emphasizing the vulnerability of Route/Switch devices to such attacks.

Workarounds and recommendations

Cisco has now released software updates that address this vulnerability and has advised customers to upgrade. Customers who cannot upgrade at this time should implement the workaround detailed below. 

The Cisco advisory provides steps on how to disable the feature as well as steps on how to determine if the HTTP Server feature is enabled. Additionally, the Cisco security advisory outlines an additional command to run after disabling the HTTP Server feature, to ensure that the feature is not re-enabled after a system reload.

The Cisco advisory also includes some indicators of compromise to assist in incident response investigations.

How can Outpost24 help?

Outscan NX/HIAB customers can detect this vulnerability if they have configured the scan to run in “authenticated” mode.

We are developing more methods of detecting this vulnerability and will keep our detection updated as more information comes out.

Note: This text is published and reflects the status at the time of publication, status of detection, recommendations for remediation, detection or availability of patches may be different and refer to the vendors information for the latest updates, as well as the vulnerability database in the tooling.

About the Author

Mark Otzen
Mark Otzen Head of Vulnerability Research, Outpost24

Mark is the team lead and head of Outpost24s Vulnerability Research department. With nine years of experience in the industry and six years with the team, he provides both research expertise and tradecraft skills. As a technical lead he coordinates and supports his teammates while also having a hands-on role in research and development.