In a disclosure that shakes the bedrock of trust in network security, Cisco has recently alerted the public to a critical zero-day vulnerability in its IOS XE software. The vulnerability—officially tracked as CVE-2023-20198—exposes a multitude of late-model Cisco devices to potential full-scale compromises. Cisco’s Talos security team has already observed active exploits in the wild, accentuating the immediacy of the threat.

The Vulnerability

This glaring vulnerability resides in the web UI feature of the IOS XE software. It can be exploited on any device that operates HTTP or HTTPS Server functionalities. First flagged in late September, the full gravity of the issue was not clear to Cisco until October 12, when unauthorized local user account creation was observed from a suspicious IP address.

The exploitation methodology involves the “implant” of a configuration file on the targeted device. This implant takes effect upon a web server restart. Intriguingly, the implant has been delivered using both a known secondary vulnerability and another mechanism that remains undetermined, according to the Talos team.

The Potential Consequences

The severity of the flaw can hardly be overstated: it allows remote attackers to establish fully functional admin accounts, providing a virtual carte blanche to manipulate the compromised devices. Michelle Abraham, IDC research director, warns that the possibilities are extensive—from deploying the router in a DDoS attack to intercepting or altering network traffic. Even more alarming is the capability to insert malicious firmware for sustained backdoor access.

Cisco’s Recommendations

While a security patch is still under development, Cisco has issued strong recommendations for users to disable HTTP/S server features on potentially vulnerable devices. The company’s threat advisory offers guidelines on how to check the presence of HTTP/S servers as well as the malicious implant. According to Cisco, restricting access from untrusted hosts and networks to the HTTP Server feature via access lists has been deemed an effective mitigation strategy.

Identifying the Threat Actors

The identity of the entities exploiting this vulnerability remains elusive. Yet, irrespective of who is behind these actions, the critical nature of the vulnerability mandates swift and decisive action to safeguard the integrity of organizational networks.