On October 21, 2023, Cisco issued a warning about a new zero-day flaw in IOS XE that has been exploited by an unknown threat actor. This flaw allowed the attacker to deploy a malicious Lua-based implant on vulnerable devices. The vulnerability, identified as CVE-2023-20273, is related to a privilege escalation flaw in the web UI feature and was used alongside CVE-2023-20198 as part of an exploit chain.
The attacker initially used CVE-2023-20198 to gain access and create a local user with elevated privileges. Then, another component of the web UI feature was exploited to escalate privileges to root and write the implant to the file system. Cisco has identified a fix for both vulnerabilities, which will be available to customers starting October 22, 2023.
In the meantime, it is recommended to disable the HTTP server feature. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that these vulnerabilities could allow attackers to take control of affected systems by creating a privileged account. Successful exploitation of the bugs could result in remote access to routers and switches, monitoring network traffic, injecting and redirecting network traffic, and establishing a persistent presence on the network.
Data from Censys and LeakIX suggests that over 41,000 Cisco devices running the vulnerable IOS XE software have been compromised by threat actors using these security flaws. The targets of this vulnerability appear to be smaller entities and individuals rather than large corporations.