With a few days gap, Cisco disclosed active exploitation detections for separate zero-days affecting its IOS XE devices. The tech giant pledged to roll out the patches shortly.
Cisco IOS XE Zero-Days Exploited In The Wild
According to a recent post from Cisco Talos, the firm detected active exploitation attempts for two different zero-days affecting its IOS XE devices.
The disclosure first appeared online about a week ago when Cisco admitted detecting active exploitation for a new, unknown vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software. This vulnerability, identified as CVE-2023-20198, allowed an adversary to gain elevated privileges on the target device. By exploiting this flaw, an attacker could create normal user access logins or local user accounts.
This vulnerability typically affected Cisco IOS XE devices (both physical and virtual) with the HTTP or HTTPS Server feature enabled. While Cisco couldn’t release an immediate fix for the flaw, they shared a workaround to mitigate it. Specifically, Cisco recommended disabling the HTTP server feature, especially on internet-facing devices. That’s also a huge number, as Shodan search showed about 40,000 devices vulnerable to attacks.
Cisco assigned a critical severity rating to the flaw, with a CVSS score 10.0, as it allowed admin privileges.
Days after this initial disclosure and pledging a fix, Cisco disclosed another zero-day vulnerability under active attack. This time, the vulnerability, identified as CVE-2023-20273, enabled an adversary to perform further malicious activities on the target devices. This vulnerability also existed in the Web UI feature but affected a different component.
While the flaw achieved a high severity rating (CVSS 7.2), an attacker may chain it with the previous exploit to inject and execute malicious commands (or implant malware) on the target devices.
Cisco’s post explains the vulnerabilities and exploitation attempts in detail. Until the relevant security fixes arrive, Cisco advised users to secure their devices via the steps recommended in its security advisory.
Let us know your thoughts in the comments.