21. Oct. 2023NewsroomZero-Day / Security vulnerability
Cisco has warned of a new zero-day flaw in IOS XE that has been actively exploited by an unknown threat actor to deploy a malicious Lua-based implant on vulnerable devices.
Tracked as CVE-2023-20273 (CVSS score: 7.2), the issue is related to a privilege escalation flaw in the Web UI feature and is reported to have been used along with CVE-2023-20198 as part of an exploit chain.
“The attacker initially exploited CVE-2023-20198 to gain initial access and issued a command with permission 15 to create a local user and password combination,” Cisco said in an updated advisory released Friday. “This allowed the user to log in with normal user access.”
“The attacker then exploited another component of the Web UI functionality and used the new local user to elevate the privileges to root and write the implant to the file system,” a flaw identified by the identifier CVE-2023-20273 was assigned.
A Cisco spokesperson told The Hacker News that a fix covering both vulnerabilities has been identified and will be made available to customers starting October 22, 2023. In the meantime, it is recommended to disable the HTTP server function.
While Cisco previously mentioned that a now-fixed vulnerability in the same software was exploited to install the backdoor, the company no longer assessed the vulnerability as being active in light of the discovery of the new zero-day.
“An unauthenticated remote actor could exploit these vulnerabilities to take control of an affected system,” said the US Cybersecurity and Infrastructure Security Agency (CISA). “Specifically, these vulnerabilities allow the actor to create a privileged account that provides complete control over the device.”
Successful exploitation of the flaws could allow attackers to gain unhindered remote access to routers and switches, monitor network traffic, inject and redirect network traffic, and use it as a permanent bridgehead to the network due to the lack of protection solutions for these devices.
The development comes as it is estimated that more than 41,000 Cisco devices are running the vulnerable IOS LeakIX.
“As of October 19, the number of compromised Cisco devices fell to 36,541,” the attack surface management company said. “The main targets of this vulnerability are not large companies, but smaller companies and individuals.”
Did you find this article interesting? follow us on Twitter and LinkedIn to read more exclusive content we publish.