Actively Exploited Zero-Day Vulnerability in Cisco IOS XE Software

Cisco has released a security advisory to address an actively exploited zero-day vulnerability(CVE-2023-20198 in the web user interface of Cisco IOS XE software.

Based on the evidence analyzed by Cisco, a suspicious activity was observed on September 28, 2023 which includes the creation of unauthorized account on a customer’s device.

Additionally on October 12, Cisco detected an additional cluster of related activity, which involved unauthorized account creation and the deployment of an implant.

_____________________________

A. Nature of Vulnerability

CVE-2023-20198

This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system.

_____________________________

B. Actions to be Taken

CERT-PH recommends the following actions be taken:

Kindly review the official security advisory of Cisco and follow the recommendation to mitigate future threats.
Proactively monitor the logs and network traffic to the identified systems and devices for any suspicious/malicious activities.
For additional information, kindly refer to the official report
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z
- https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/