Cisco Warns of Actively Exploited Zero-Day Flaw in IOS XE Software
The Threat Advisory Has Been Updated
Overt Operator
October 21, 2023
Photo by cottonbro studio on Pexels
In an updated advisory published Friday, Cisco warned its users about a new zero-day flaw found in its IOS XE software. The vulnerability, tracked as CVE-2023-20273, has been actively exploited by an unidentified threat actor, with the malicious actor deploying a Lua-based implant on susceptible devices.
The flaw, which received a CVSS score of 7.2, is a privilege escalation vulnerability in the web UI feature. Intriguingly, it has been utilized in conjunction with another flaw, CVE-2023-20198 (CVSS score: 10.0), as part of an exploit chain.
"The attacker first exploited CVE-2023-20198 to gain initial access and issued a privilege 15 command to create a local user and password combination," Cisco explained. This strategy permitted the user to log in with standard user access.
The attacker then leveraged the new local user to escalate privilege to root and write the implant to the file system by exploiting another component of the web UI feature. This shortcoming was assigned the identifier CVE-2023-20273.
A spokesperson from Cisco informed The Hacker News that a fix that addresses both vulnerabilities has been identified and will be released to customers starting October 22, 2023. In the meantime, Cisco recommends disabling the HTTP server feature to mitigate potential risks.
Previously, Cisco had stated that a now-patched security flaw in the same software (CVE-2021-1435) had been exploited to install the backdoor. However, after the discovery of the new zero-day, the company reassessed the situation, concluding that the vulnerability is no longer linked to the ongoing activity.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) emphasized the severity of these vulnerabilities, warning that an "unauthenticated remote actor could exploit these vulnerabilities to take control of an affected system." Specifically, these vulnerabilities would allow the actor to create a privileged account that grants full control over the device.
If successfully exploited, these bugs could allow attackers to gain unrestricted remote access to routers. As the fix is yet to be released, users are urged to be vigilant and disable the HTTP server feature as a temporary solution.