A command-injection vulnerability was found in Cisco’s production equipment. CVE-2023-20076 could allow unauthorized root-level access and remote code execution, leading to total control over a device’s operating system. The bug could also allow persistence through upgrades or reboots, despite Cisco's safeguards against such a situation.

CVE-2023-20076 impacts the following Cisco networking devices:

  • 800 Series Industrial ISRs
  • Catalyst Access Points (COS-APs)
  • CGR1000 Compute Modules
  • IC3000 Industrial Compute Gateways (software releases earlier than 1.2.1)
  • IR510 WPAN Industrial Routers

In addition to the command-injection flaw, researchers from Trelix found a second vulnerability in Cisco gear. The bug, tracked as CSCwc67015, was found in “yet-to-be-released” code. It could allow an attacker to remotely execute their own code and overwrite most of the files on a device. According to Cisco’s advisory, the company confirmed that the issue exists but because the unreleased code was placed there for future application packaging support, there are no devices affected. Cisco has resolved the issue, but attackers don’t have a way to capitalize off the vulnerability at this time.

Although exploiting either vulnerability would require admin-level access over a Cisco device, the company’s networking equipment is used worldwide (i.e., government organizations, enterprises, data centers, and industrial sites). Due to the popularity of the equipment, the impact of CVE-2023-20076 could be devastating for thousands of businesses. There are no workarounds for CVE-2023-20076, therefore, Avertium recommends that your organization apply the appropriate patch immediately.



avertium's recommendations


  • It is highly recommended that all customers with the previously mentioned networking devices apply the appropriate patch and follow Cisco’s patch guidance.
  • Although there are no workarounds for the vulnerability, Cisco’s advisory states that customers who do not want to use the Cisco IOx application hosting environment can disable IOx permanently on the device using the no iox configuration command.
    • Note: While this mitigation has been deployed and was proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions.




At this time, there are no known IoCs associated with CVE-2023-20076 Avertium’s threat hunters remain vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, please reach out to your Avertium Service Delivery Manager or Account Executive.



How Avertium is Protecting Our CUSTOMERS

  • Fusion MXDR is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts.
  • Avertium offers VMaaS to provide a deeper understanding and control over organizational information security risks. If your enterprise is facing challenges with the scope, resources, or skills required to implement a vulnerability management program with your team, outsourced solutions can help you bridge the gap.
  • Avertium offers Zero Trust Architecture, like AppGate, to stop malware lateral movement.
  • Avertium offers Zero Trust Network as a Service (ZTNaaS) for any organization that wants to control their attack surface. The zero-trust security model delivers exactly what the name promises: it is an IT security concept that specifies no access is allowed until the successful completion of authentication and authorization processes. 




Cisco IOx Application Hosting Environment Command Injection Vulnerability

Command-Injection Bug in Cisco Industrial Gear Opens Devices to Complete Takeover (darkreading.com)

When Pwning Cisco Persistence Is Key When Pwning Supply Chain Cisco Is Key (trellix.com)




Related Resource:  2023 Cybersecurity Landscape: 8 Lessons for Cybersecurity Professionals

Chat With One of Our Experts

Cisco Vulnerabilities remote code execution RCE Remote Code Execution (RCE) vulnerabilities Flash Notice Cisco Blog