Urgent Security Alert: Critical Cisco IOS XE Zero-Day Vulnerability Actively Exploited
A critical zero-day vulnerability is being actively exploited in the wild, targeting Cisco devices running IOS XE software. This high-severity flaw allows unauthenticated remote attackers to gain full administrative control over affected routers and switches, creating a significant security risk for organizations worldwide.
This is not a theoretical threat; thousands of devices have already been observed as compromised. If your organization uses Cisco equipment, immediate action is required to assess your exposure and mitigate this threat.
Understanding the Critical Cisco IOS XE Vulnerability
The vulnerability, tracked as CVE-2023-20198, targets the web UI feature of the Cisco IOS XE software. The web UI is a web-based management interface that allows administrators to configure and monitor devices through a graphical interface instead of the command line.
The core of the issue is a privilege escalation flaw. An attacker can leverage this vulnerability to create a new user account on the device with the highest possible privilege level—level 15 access. This gives them complete control, equivalent to that of a legitimate network administrator.
Here’s what makes this vulnerability particularly dangerous:
- Zero-Day Exploit: Attackers were actively using this exploit before a patch was available, leaving many systems defenseless.
- Unauthenticated Access: The attacker does not need valid credentials to initiate the attack. Simply having the web UI exposed to the internet is enough.
- Full System Takeover: Once compromised, attackers can monitor network traffic, pivot to other internal systems, and maintain persistent access.
How the Attack Works: A Two-Stage Process
The attack chain observed in the wild involves two distinct steps. First, the attacker exploits CVE-2023-20198 to gain initial access and create a local user account.
Next, the attacker exploits a second, previously undisclosed vulnerability, CVE-2023-20273, to escalate the privileges of the newly created account to the maximum level. After gaining full admin rights, the attacker deploys a malicious implant. This implant, written in the Lua programming language, allows them to execute arbitrary commands at the system level, securing their control over the device and making detection more difficult.
In short, an attacker can go from an unauthenticated, remote position to having complete, persistent control of a core network device.
Is Your Network at Risk?
Your network infrastructure is at risk if you are running a Cisco device with IOS XE software and meet the following conditions:
- The web UI (HTTP/HTTPS Server) feature is enabled.
- The device is exposed to the internet or any untrusted network.
Even if you have configured an access control list (ACL) to restrict access to the web UI, you should still consider your device vulnerable and proceed with the mitigation steps outlined below.
Actionable Steps: How to Detect and Mitigate the Threat
Immediate action is necessary to protect your network. Follow these steps to check for compromise and secure your devices.
1. Disable the Public-Facing Web UI Immediately
This is the most critical and effective mitigation strategy until a patch can be applied. You should disable the HTTP Server feature on all internet-facing systems. To do this, use the following commands in global configuration mode:
no ip http server
no ip http secure-server
Disabling this feature is the only way to completely remove the attack vector. It will not impact the core functionality of the router or switch, only the ability to manage it via the web interface.
2. Hunt for Indicators of Compromise (IoCs)
You must check your devices for signs that they have already been compromised.
Check for Suspicious User Accounts: Review the device’s running configuration for any new or unfamiliar local user accounts. Use the following command to list all local users:
show running-config | include usernameInvestigate any username that was not created by your administrative team. Attackers have been observed creating usernames like
cisco_tac_admin,cisco_support, and other generic-sounding names to avoid suspicion.Review System Logs: Check device logs for messages related to the web UI that originate from suspicious or unknown IP addresses. Specifically, look for log entries containing
"%WEBUI-6-INSTALL_OPERATION_INFO". A message like this indicates that a file was installed via the web UI, which is a primary indicator of the implant being deployed.Check for the Malicious Implant: Cisco has provided a command to help detect the presence of the malicious implant. Run the following command from a workstation that can access the device (replace
{device-ip}with the device’s IP address):
curl -k -X POST "https://{device-ip}/webui/logoutconfirm.html?logon_hash=1"If the implant is present, you will receive a long hexadecimal string. If it is not present, the request should result in an error or redirect.
3. Apply Official Patches
Cisco has released software updates to address this vulnerability. Patching is the only permanent solution. Monitor Cisco’s Security Advisories for the latest information on fixed software releases for your specific device models and apply them as soon as possible. After patching, you can safely re-enable the web UI if it is required for your operations.
This vulnerability serves as a stark reminder of the importance of proactive security hygiene. Always strive to minimize your network’s attack surface by disabling unnecessary features and ensuring that management interfaces are never exposed to the public internet.
Source: https://go.theregister.com/feed/www.theregister.com/2025/09/25/zeroday_deja_vu_another_cisco/
