Zero-Day Alert: Thousands of Cisco IOS XE Systems Now Compromised

A threat actor has already infected thousands of Internet exposed Cisco IOS XE devices with an implant for arbitrary code execution via an as-yet-unpatched maximum severity vulnerability in the operating system.

Cisco disclosed the flaw, identified as CVE-2023-20198, on Oct. 17, with a warning about exploit activity in the wild targeting the flaw. The bug, which has a severity rating of 10 out of 10 on the CVSS vulnerability-severity scale, is present in the Web UI component of IOS XE. 

The company said it had observed an attacker using the vulnerability to gain administrator level privileges on IOS XE devices, and then, in an apparent patch bypass, abusing an older remote code execution (RCE) flaw from 2021 (CVE-2021-1435) to drop a Lua-language implant on affected systems.

Now, those attacks appear to have a global footprint.

Unpatched Bug Leads to 10K Infected Cisco Systems

Cisco's security advisory noted that the company had responded to reports of unusual activity tied to the flaw from multiple customers. But the actual scope of the infections appears to be a lot higher than what was apparent from the advisory.

Jacob Baines, CTO at VulnCheck says his company has fingerprinted at least 10,000 Cisco IOS XE systems with the implant on them — and that's from scanning just half of the affected devices that are visible on search engines such as Shodan and Censys.

"From what we can tell, it doesn't not appear to be localized," Baines says. "The IPs geolocate to a wide number of countries all over the globe."

Baines says it's somewhat difficult to determine if the attacks are opportunistic or targeted. On the one hand, opportunistic attacks often involve threat actors using publicly available or researcher-developed proof-of-concept (PoC) exploits. 

But that's not what has happened with the activity targeted at CVE-2023-20198 so far, he says. "Not only did the attackers allegedly use a zero day — and perhaps a second patch bypass — but they also deployed a custom implant. That isn't opportunistic." 

Yet at the same time, the sheer number of exploited systems suggests more of an indiscriminate approach, Baines says.

Cisco Pwning Likely From a Single Threat Actor

The fact that the compromised Cisco IOS XE systems all have the same implant suggests that one threat actor is behind the attacks. "Because the initial auth-bypass vulnerability was — and still is unpatched —finding vulnerable targets is as simple as a Shodan query," Baines adds. Because Cisco has not made details of the vulnerability public yet, it is to ascertain how easy or not CVE-2023-20198 is to exploit, he notes.

Researchers at Detectify too on Oct. 17 reported observing what appears to be Internet-wide exploit activity targeting the Cisco zero-day vulnerability. But they believe the threat actor behind it is opportunistically hitting every affected system they can find. "The attackers seem to be casting a wide net by attempting to exploit systems without a specific target in mind first," one researcher from the firm says. The approach appears to be to "exploit everything first and then determine what is interesting." Detectify's researchers shared Baines' assessment about affected systems being trivially easy to find via search engines like Shodan.

Detectify's team only verified a relatively limited number of systems as being infected while building a test for detecting the implant for customers, the researcher says. But it is conceivable that thousands of systems have the implant, the researcher adds.

Access Lists Are Effective Mitigation

Cisco has not yet released a patch for the zero-day threat. But the company has recommended that organizations with affected systems immediately disable the HTTPS Server feature on Internet-facing IOS XE devices. On Oct. 17, Cisco updated its advisory to note that controlling access to the HTTPS Server feature using access lists, works as well.

"We assess with high confidence, based on further understanding of the exploit, that access lists applied to the HTTP Server feature to restrict access from untrusted hosts and networks are an effective mitigation," Cisco said. When implementing access controls for these services, organization need to be cognizant of what they are doing because of the potential for interruption of production services, the company cautioned.

Cisco did not respond to a Dark Reading question about the reports about thousands of systems having the implant via the new zero-day bug. But in an emailed statement the company said it is "working non-stop" to provide a software fix. In the meantime, customers should immediately implement the steps outlined in the security advisory, the statement reiterated. 

"Cisco has nothing more to share at this time but will provide an update on the status of our investigation through the security advisory. Please refer to the security advisory and Talos blog for additional details."