On Monday, October 17th, 2023, Cisco warned that an unknown threat actor has been actively exploiting a previously unknown vulnerability since at least September 18th, 2023.
The vulnerability, tracked as CVE-2023-20198, has a maximum CVS severity rating of 10 and affects the web interfaces of devices running Cisco IOS XE. Successful exploitation of this vulnerability allows an attacker to create an account that grants full control of the compromised device. As of the time of the alert, the Shodan search engine identified as many as 80,000+ internet-connected devices that could be vulnerable.
Currently, there is no patch available. Cisco is strongly recommending administrators completely disable the HTTP(S) server on all internet-facing systems (which is a good default practice anyway). Known IP addresses involved in the early exploitations are:
- 5.149.249[.]74 (HostZealot Hosting Ltd, Amsterdam)
- 154.53.56[.]231 (Contabo Inc, USA)
It is recommended that system logs be searched for successful web UI connections from these and any other unknown IP addresses, as well as activity from new or unrecognized user names. Any unexplainable entries could be evidence of compromise.
For more information, including full commands to check or disable the exploitable services, please visit Cisco’s Product Security Incident Response Team (PSIRT) advisory here: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z