A zeroday in the Cisco IOS XE software web UI is currently being actively exploited when connecting to the Internet or untrusted networks. If the attack is successful, hackers can completely take over a system.

Talos, Cisco’s security team, has discovered a new zero-day in the web UI of the IOS XE software. When connected to the Internet or an untrusted network, attackers can completely take over an affected system by creating an account with permission level 15.

best result

The newly discovered vulnerability has been assigned the code CVE-2023-20198 and has a critical maximum CVSS score of 10. This zero-day threatens both physical and virtual systems with an active HTTP or HTTPS server running IOS Use software.

Cisco has now released an advisory report that recommends disabling HTTP/S servers in systems connected to the Internet. Given the critically high CVSS score, Talos and Cisco recommend that you follow the company’s published advice quickly and carefully.

Configured attack

A first case of suspected malicious activity was discovered on September 28th. This includes creating an account from a suspicious IP address. A second similar case caused a stir with the infiltration of a configuration file. In both cases, the account claimed to be a Cisco entity.

Attackers have also exploited the CVE-2021-1435 vulnerability, although Cisco has released full patches for it in the past. Planting the configuration file is based on the Lua programming language and consists of 29 lines of code.

Talos recommends that organizations and businesses keep an eye out for new or unclear accounts on their systems. This could mean that malicious activity is underway.

Last month, Cisco announced the acquisition of Splunk to expand its cybersecurity capabilities. The company’s VPNs had previously come under criticism due to various brute force attacks.