Cisco has released a security advisory to address an actively exploited zero-day vulnerability(CVE-2023-20198 in the web user interface of Cisco IOS XE software.
Based on the evidence analyzed by Cisco, a suspicious activity was observed on September 28, 2023 which includes the creation of unauthorized account on a customer’s device.
Additionally on October 12, Cisco detected an additional cluster of related activity, which involved unauthorized account creation and the deployment of an implant.
_____________________________
A. Nature of Vulnerability
CVE-2023-20198
- This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system.
_____________________________
B. Actions to be Taken
CERT-PH recommends the following actions be taken:
- Kindly review the official security advisory of Cisco and follow the recommendation to mitigate future threats.
- Proactively monitor the logs and network traffic to the identified systems and devices for any suspicious/malicious activities.
- For additional information, kindly refer to the official report
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z
- https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/