On Monday, 16 October, Cisco reported a critical zero-day vulnerability in the web UI feature of its IOS XE software actively being exploited by threat actors to install Remote Access Tools (RATs) and backdoor vulnerable devices exposed on the internet. The vulnerability, identified as CVE-2023-20198, enables an attacker without authentication to create a highly privileged account on the affected network device in order to gain full control and execute arbitrary commands. The Cisco IOS XE software is utilized on several of Cisco’s widely used enterprise networking devices – switches, routers, etc.

Risks of Compromise

On Tuesday, 17 October, Researchers at VulnCheck performed an internet scan and identified 10,000+ compromised Cisco IOS XE systems that had been implanted with the unidentified threat actor(s) RAT.  Attackers with this type of unfettered remote access to a network device could take the following actions with associated impacts:

• monitor network traffic – eavesdropping on privileged network communications.
• inject and redirect network traffic – exposing the enterprise to man-in-the-middle attacks.
• breach protected network segments.
• utilize it as a persistent beachhead to the network as there is a lack of detection/protection solutions for these devices and they can often go overlooked during patch-cycles until a disruption to user activity is noticed.

Current known indicators of compromise include:

• Exploitation of CVE-2023-20198: Unexplained or newly created users on devices running IOS XE
• Threat Actor RAT: Cisco identified the following command to identify whether the unknown Threat Actor’s RAT is present on the device:
  • curl -k -X POST “https[:]//DEVICEIP/webui/logoutconfirm.html?logon_hash=1“
  • DEVICEIP is a placeholder for the IP address of the device to check
  • If the request returns a hexadecimal string, the RAT is present.
  • Alternatively, use the HTTP scheme for insecure web interfaces.

Immediate Measures

Organizations are strongly advised to disable the web UI (HTTP Server) component on all internet-facing systems immediately. This can be done using the

no ip http server

 or

no ip http secure-server 

commands in global configuration mode. If both the HTTP server and HTTPS server are in use, both commands are required to disable the HTTP Server feature. It’s also recommended to avoid exposing the web UI and management services to the internet or to untrusted networks​.

Long-term Strategy

While disabling the web UI component and limiting internet exposure reduces risk from known attack vectors, it does not mitigate the risk from RATs that might have already been deployed on vulnerable systems. It’s crucial to invoke incident response procedures to prioritize hunting for indicators of compromise as they are published.

Cisco has yet to release a patch for CVE-2023-20198. Additionally, Cisco observed the threat actor(s) using 2 different techniques to install the RAT once the device has been compromised:

• Exploiting CVE-2021-1435, patched in 2021
• On fully patched devices – “through an as of yet undetermined mechanism.”

The exploitation of CVE-2023-20198 underscores the critical need for robust cybersecurity measures and immediate response actions within organizations. The active exploitation of this vulnerability demonstrates the relentless efforts by malicious actors to exploit system weaknesses, making it imperative for organizations to apply immediate patches and also have a long-term, sustainable cybersecurity strategy in place. Regularly monitoring system logs for unusual activities, training staff to recognize potential threats, having an incident response plan ready, and subscribing to a routine of frequent internal and external penetration testing are some of the key steps in creating a resilient cybersecurity infrastructure.

Cisco Advisory, Cisco IOS XE Software Web UI Privilege Escalation Vulnerability

Cisco Talos Threat Advisory, Active exploitation of Cisco IOS XE Software Web Management User Interface vulnerability

VulnCheck, Widespread Cisco IOS XE Implants in the Wild

NVD, CVE-2023-20198 Details

Rapid7 Blog, CVE-2023-20198: Active Exploitation of Cisco IOS XE Zero-Day Vulnerability

Cisco, Cisco IOS XE