Generic filters
Exact matches only
Search in title
Search in content
Filter by Custom Post Type
Filter by Categories

[Zero-Day]Ongoing Battle between Cisco and Exploit Actors

Executive Summary

The exploits on the recent Cisco zero-day vulnerabilities, have undergone evolvement, making it challenging for researchers to track and detect.

Cisco has started releasing the fixes to address the vulnerabilities, along with updates to their enhanced guidance to identify compromised systems.

Organisations using impacted Cisco products are advised to closely follow Cisco’s updates and take prompt action.

The battle between Cisco and the threat actor behind the exploit is an ongoing and evolving one. We will continue to monitor the developments and keep you updated with the latest news. Please see our recent news about the ongoing Cisco exploits below:

About the Evolvement of the Exploit

The exploit chain targeting Cisco IOS XE systems involved a critical bug in the Web UI (CVE-2023-20198) and a second zero-day (CVE-2023-20273) that allowed attackers to gain access and elevate privileges. As security researchers observed and reported the infected systems, the threat actors altered the implant to avoid detection. By changing the implant’s behaviour, they made it difficult for previous fingerprinting methods to identify compromised devices, leading to a sudden decline in visible infections.

As of Thursday, it was reported that over 36,000 Cisco devices had been compromised. This number was lower than the previous day’s count. Over the weekend, the number of compromised devices continued to decrease, leaving security researchers puzzled. The decline in compromised devices was discovered by security researchers from Fox-IT, a part of the NCC Group. They found that the implant placed on tens of thousands of Cisco devices had been modified to check for an Authorisation HTTP header value before responding. This change in behaviour made it difficult for previous fingerprinting methods to detect the compromised systems, resulting in a significant decrease in visible infections. By using a different fingerprinting method, Fox-IT identified around 38,000 Cisco devices that remain compromised.

Cisco Updates

Cisco has released an updated version of IOS XE, which include the first fix, 17.9.4a several days after the vulnerability was initially discovered and exploited. The schedule for fixes for different versions of IOS XE has not been disclosed yet.

Cisco also updated its security advisory including the guidance to detect the presence of the implant, including a curl command for identifying implant variants.

In addition, Cisco has updated their scanners to counter the new variant hindering system identification. It is crucial for users of impacted Cisco products to follow Cisco’s security advisory and regularly check updates from Cisco.


In the ongoing battle between Cisco and the threat actor behind the exploit, organisations using affected Cisco products should stay vigilant and closely monitor updates from Cisco.

Taking timely action, implementing the provided guidance, and staying informed about the latest developments are essential to mitigate the risks associated with this exploit. It is also important for organisations to perform a forensic triage if they have had a Cisco IOS XE WebUI exposed to the internet to identify any compromised systems and take appropriate actions to address the issue.



Cubic Lighthouse is a cybersecurity publication dedicated to demystifying security, making news actionable, providing deeper thinking about the fundamentals of security, and providing decision-makers and the community at large with the right information to make the right decisions. We will also feature more technical articles and provide personal/family security advice.

©2024 Cubic Consulting, a Smart Security Company for your Business – All Rights Reserved.