Attackers are actively exploiting a zero day vulnerability in cisco devices to gain full administrative privileges and take complete control of the device remotely.
Cisco has warned of a maximum severity authentication bypass zero-day vulnerability in its IOS XE software. The vulnerability allows a remote and unauthenticated user to create a highly privileged account and take control of the system. Cisco devices running IOS XE software include enterprise switches, aggregation and industrial routers, access points and wireless controllers. The vulnerability, which is tracked as CVE-2023-20198, does not currently have a fix available. However it only affects devices that have the Web User Interface enabled. There are over 140,000 cisco devices that have their Web UI enabled and exposed to the internet. Over 3,500 of those exposed devices are in Australia. It was discovered that attackers have been exploiting this vulnerability since 18 September and over 10,000 devices have been hacked. The attackers were observed creating local admin accounts with username such as cisco_support and cisco_tac_admin. Cisco recommends applying mitigation measures by disabling the vulnerable HTTP server feature on all internet facing systems until a patch becomes available. And to also look for suspicious or recently created user accounts as potential signs of malicious activity linked to this vulnerability.
https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/cisco-ios-xe-software-web-ui-zero-day-vulnerability
https://www.bleepingcomputer.com/news/security/over-10-000-cisco-devices-hacked-in-ios-xe-zero-day-attacks/
https://www.bleepingcomputer.com/news/security/cisco-warns-of-new-ios-xe-zero-day-actively-exploited-in-attacks/
This segment was created for the It’s 5:05 podcast