Generic filters
Exact matches only
Search in title
Search in content
Filter by Custom Post Type
Posts
Filter by Categories







[ZeroDay] Update: Active Exploit of Unpatched Cisco Vulnerabilities

Executive Summary

Cisco has disclosed a new zero-day vulnerability (CVE-2023-20273, CVSS score: 7.2) in its IOS XE software, actively exploited by an unknown threat actor to deploy a malicious Lua-based implant on susceptible devices. This flaw, in conjunction with another vulnerability (CVE-2023-20198, CVSS score: 10.0), forms an exploit chain allowing unauthorized remote access to devices. Cisco has identified a fix for both vulnerabilities, to be available to customers from October 22, 2023.

Update on Ongoing Cisco Exploits

The exploit chain starts with the exploitation of CVE-2023-20198, allowing the attacker to gain initial access and create a local user and password combination.

Following this, the attacker exploits CVE-2023-20273 using the newly created local user to escalate privileges to root and write a malicious implant to the file system. Unlike the previously believed CVE-2021-1435, the new zero-day vulnerability is now identified as part of this exploit chain, providing the attackers a way to maintain persistent access to the affected systems.

On October 20, the Cybersecurity and Infrastructure Security Agency (CISA) released guidance addressing these two vulnerabilities being actively exploited.

CISA urges organisations running Cisco IOS XE Web UI to review their guidance and implement the recommended mitigations, which include disabling the HTTP Server feature on internet-facing systems and conducting a hunt for malicious activity on their network.

About CVE-2023-20273

CVE-2023-20273 is a zero-day vulnerability in Cisco IOS XE software, specifically in the Web User Interface (Web UI) feature. This vulnerability has been actively exploited since its disclosure on October 20, 2023. Cisco has assigned it an initial CVSS score of 7.2. However, it has not yet been added to NIST NVD, and a final CVSS score has not been determined.

Successful exploitation of this vulnerability would grant an attacker full administrator privileges, allowing them to take control of the affected router and perform unauthorised activities.

About CVE-2023-20198

CVE-2023-20198 is a critical privilege escalation vulnerability in Cisco IOS XE software’s Web User Interface (Web UI) feature. With a CVSS score of 10, this vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access, which grants full access to all commands.

Please see our recent news article for more information about CVE-2023-20198.

Response from Cisco

On October 22, Cisco updated its security advisory regarding the exploit in light of the new zero-day vulnerability, CVE-2023-20273.

Please be aware that there is currently no available patch for either of these vulnerabilities. However, Cisco has provided mitigations and other information in its security advisory. Below is a decision tree provided by Cisco as part of their recommendations:

RECENT BLOG POSTS

PODCASTS

Cubic Lighthouse is a cybersecurity publication dedicated to demystifying security, making news actionable, providing deeper thinking about the fundamentals of security, and providing decision-makers and the community at large with the right information to make the right decisions. We will also feature more technical articles and provide personal/family security advice.

©2024 Cubic Consulting, a Smart Security Company for your Business – All Rights Reserved.