New Cisco Vulnerability Affects Tens of Thousands, Has Been Exploited Since September

Share This Post

On Monday, October 17th, 2023, Cisco warned that an unknown threat actor has been actively exploiting a previously unknown vulnerability since at least September 18th, 2023.

The vulnerability, tracked as CVE-2023-20198, has a maximum CVS severity rating of 10 and affects the web interfaces of devices running Cisco IOS XE. Successful exploitation of this vulnerability allows an attacker to create an account that grants full control of the compromised device. As of the time of the alert, the Shodan search engine identified as many as 80,000+ internet-connected devices that could be vulnerable.

Currently, there is no patch available. Cisco is strongly recommending administrators completely disable the HTTP(S) server on all internet-facing systems (which is a good default practice anyway). Known IP addresses involved in the early exploitations are:

  • 5.149.249[.]74 (HostZealot Hosting Ltd, Amsterdam)
  • 154.53.56[.]231 (Contabo Inc, USA)

It is recommended that system logs be searched for successful web UI connections from these and any other unknown IP addresses, as well as activity from new or unrecognized user names. Any unexplainable entries could be evidence of compromise.


For more information, including full commands to check or disable the exploitable services, please visit Cisco’s Product Security Incident Response Team (PSIRT) advisory here: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z



Reach out to our incident response team for help

More To Explore

Information Security News 9-30-2024

NIST Drops Password Complexity, Mandatory Reset Rules Article Link: https://www.darkreading.com/identity-access-management-security/nist-drops-password-complexity-mandatory-reset-rules Hacker Plants False Memories in ChatGPT to Steal User Data in Perpetuity Article Link: https://arstechnica.com/security/2024/09/false-memories-planted-in-chatgpt-give-hacker-persistent-exfiltration-channel/

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.