Don't miss our Quarterly Roadmap Showcase, Thursday, October 24
CVE-2023-20198 was discovered by Cisco's Talos group. It allows an unauthenticated, remote attacker to create a privileged account on vulnerable Cisco IOS XE devices. Successful exploitation gives the attacker full admin access and control of the system.
Cisco rated CVE-2023-20198 a CVSS score of 10 out of 10 due to the ease of exploitability and severe impacts. Talos reported that the vulnerability has been actively exploited in the wild since at least September 18, 2023.
Initial internet scans found over 140,000 publicly exposed Cisco devices potentially vulnerable. The large attack surface means that defenders should assume some internet-facing devices have already been compromised via this vulnerability.
The vulnerability has been actively exploited in the wild, and no patch was available at the time of disclosure. Cisco released fixed versions for various solutions as of October 22, 2023.
First, the attackers exploit CVE-2023-20198 to gain initial access and create an admin account. Next, they exploit CVE-2023-20273, another recent zero-day, to install a malicious implant on the system. This implant allows the attacker to remotely execute arbitrary commands at the root or IOS level.
Cisco Talos has observed additional post-exploitation activity, including lateral movement and deployment of a custom backdoor to maintain persistent access. Affected devices could remain compromised even after patching both vulnerabilities.
More than 40,000 Cisco devices have been estimated to be infected with the implant.
While patches for CVE-2023-20198 are now available, any internet-facing devices that had the web UI exposed may have already been compromised. Defenders should prioritize patching and then perform thorough incident response procedures as if a breach is assumed to have occurred.
Threat actors could maintain access through secondary implants even after patching the initial vulnerabilities. Ongoing monitoring for unusual network traffic and system changes is essential. This threat underscores the importance of restricting management interface exposure and practicing least privilege access controls.
