Project Hyphae

New Cisco Vulnerability Affects Tens of Thousands, Has Been Exploited Since September

Share This Post

On Monday, October 17th, 2023, Cisco warned that an unknown threat actor has been actively exploiting a previously unknown vulnerability since at least September 18th, 2023.

The vulnerability, tracked as CVE-2023-20198, has a maximum CVS severity rating of 10 and affects the web interfaces of devices running Cisco IOS XE. Successful exploitation of this vulnerability allows an attacker to create an account that grants full control of the compromised device. As of the time of the alert, the Shodan search engine identified as many as 80,000+ internet-connected devices that could be vulnerable.

Currently, there is no patch available. Cisco is strongly recommending administrators completely disable the HTTP(S) server on all internet-facing systems (which is a good default practice anyway). Known IP addresses involved in the early exploitations are:

  • 5.149.249[.]74 (HostZealot Hosting Ltd, Amsterdam)
  • 154.53.56[.]231 (Contabo Inc, USA)

It is recommended that system logs be searched for successful web UI connections from these and any other unknown IP addresses, as well as activity from new or unrecognized user names. Any unexplainable entries could be evidence of compromise.

For more information, including full commands to check or disable the exploitable services, please visit Cisco’s Product Security Incident Response Team (PSIRT) advisory here:

Reach out to our incident response team for help

More To Explore

Information Security News 11-27-2023

East Texas Hospital Network Can’t Receive Ambulances Because of Potential Cybersecurity Incident Article Link: Canadian Government Discloses Data Breach After Contractor Hacks Article Link:

Information Security News 11-20-2023

PJ&A Says Cyberattack Exposed Data of Nearly 9 Million Patients Article Link: Google Workspace Weaknesses Allow Plaintext Password Theft Article Link: New York

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.