A vulnerability targeting the Cisco IOS XE operating system has been identified, leaving upwards of 80,000 internet-connected devices vulnerable to privilege escalation. Using the Web UI of Cisco IOS XE software while exposed to the internet allows attackers to create a local user account, plant malicious code to be executed on a reboot, and escalate the new user’s privilege level to the highest available (level 15). This vulnerability is being tracked as CVE-2023-20198.
CVE-2023-20198 was discovered by Cisco on September 28th, when Cisco’s Technical Assistance Center (TAC) discovered the creation of a privileged account from a suspicious IP address on September 18th. Despite being patched in March of 2021, Cisco observed threat actors using an older vulnerability, CVE-2021-1435, to execute arbitrary code as the root user once a local account had been created. It is not known yet how they were able to accomplish this, and the threat actor responsible for these intrusions is yet unidentified.
This vulnerability's relative ease of exploitation, together with the enormity of potential actions a threat actor could take with privilege level 15, poses a major threat to those affected.
At this time, there are no workarounds or patches available for this vulnerability. We will continue to monitor the situation and will provide an update once patches become available.
INDICATORS OF COMPROMISE (IoCs)
Cisco observed the following IP Addresses exploiting CVE-2023-20198:
They have also provided a list of checks to determine if your system may have been compromised. A full breakdown can be found here. For more information on how Avertium can help protect your organization, please reach out to your Avertium Service Delivery Manager or Account Executive.
Expanding endpoints, cloud computing environments, and accelerated digital transformation have decimated the perimeter in an ever-expanding attack surface. Avertium offers Attack Surface Management, so you’ll have no more blind spots, weak links, or fire drills. See every threat in your attack surface, every device, every entry point, and every vulnerability. Our Attack Surface Management services include: