Urgent Security Alert: Critical Cisco ISE Flaw Actively Exploited, Allows Full System Takeover
A severe security vulnerability has been discovered in Cisco’s Identity Services Engine (ISE) that is under active exploitation by attackers. This critical flaw allows a remote, unauthenticated attacker to gain complete administrative control over an affected system, posing a significant risk to network security.
If your organization uses Cisco ISE, immediate action is required to mitigate this threat.
The Critical Flaw: Unauthenticated Admin Creation (CVE-2024-20353)
The most severe of the newly disclosed issues is a vulnerability tracked as CVE-2024-20353, which carries a high severity rating. This flaw exists in the Simple Object Access Protocol (SOAP) API of the system.
The impact is direct and severe: an attacker who can access the SOAP port can send a specially crafted API request. This request exploits the vulnerability to create a new administrator account with full privileges on the device. Because this attack is unauthenticated, the threat actor needs no prior access or credentials to execute it. This effectively hands over the keys to the kingdom, allowing an attacker to control network access policies and gain a powerful foothold within the internal network.
A Second Threat: Cross-Site Scripting (XSS) Vulnerability
In addition to the admin creation flaw, a second vulnerability, tracked as CVE-2022-20864, is also being exploited. This is a cross-site scripting (XSS) vulnerability found in the External RESTful Services (ERS) API.
While this flaw requires an attacker to trick an authenticated administrator into clicking a malicious link, its consequences are still serious. A successful exploit could allow the attacker to execute arbitrary code in the victim’s browser, steal session cookies, or access sensitive information, potentially leading to further system compromise.
Confirmed Exploitation in the Wild
Security researchers have confirmed that threat actors are actively exploiting these vulnerabilities in real-world attacks. These are not theoretical risks; they are being used right now to breach networks.
Attackers are leveraging these flaws for initial access, privilege escalation, and lateral movement. Once they create a rogue administrator account using CVE-2024-20353, they can manipulate network access policies, disable security features, and move deeper into the compromised environment, often undetected.
How to Protect Your Network: Immediate Steps to Take
Given the active exploitation and the severity of these vulnerabilities, organizations cannot afford to wait. Follow these steps immediately to secure your systems.
Identify Affected Systems: The vulnerabilities affect Cisco Identity Services Engine (ISE) and the Cisco Identity Services Engine Private Cloud (ISE-PIC). Review your asset inventory to determine if these products are in use in your environment.
Patch Immediately: Cisco has released software updates to address both vulnerabilities. Applying these patches is the most effective way to protect your systems. Do not delay deployment. Prioritize the update for all internet-facing or otherwise exposed ISE instances.
Hunt for Signs of Compromise: Because these flaws are being actively exploited, it is crucial to check for evidence of a breach. Security teams should:
- Audit all administrator accounts on Cisco ISE devices, looking for any unfamiliar or unauthorized user profiles.
- Review system logs for suspicious API requests, particularly to the SOAP and ERS endpoints.
- Monitor for unusual network activity originating from ISE appliances.
Restrict Access as a Precaution: As a best practice, always limit access to the management interfaces of critical network infrastructure like Cisco ISE. Ensure that only authorized personnel from trusted IP addresses can reach the management portal. This can serve as a powerful compensating control against future threats.
The combination of an unauthenticated remote takeover and confirmed active exploitation makes this a high-priority threat. Taking swift and decisive action is essential to prevent a potentially devastating network compromise.
Source: https://securityaffairs.com/180260/hacking/cisco-confirms-active-exploitation-of-ise-and-ise-pic-flaws.html
