This advisory is for organizations that use the Cisco IOS XE software to manage Cisco devices. If your organization does not use this platform, this notification may be discarded.
Cisco has announced the discovery of a Zero-Day privilege escalation vulnerability within the Web User Interface of the Cisco IOS XE software when exposed to the internet. This will affect any of these platforms that has the HTTP or HTTPS Server feature enabled and exposed to the internet. The vulnerability is considered critical and has been assigned the highest Common Vulnerability Scoring System (CVSS) of 10.0.
NOTE: The only current mitigation is to disable HTTPS/HTTP Server functionality on all internet facing IOS XE devices.
The vulnerability will allow an unauthenticated, remote attacker to create a user account on the affected systems with a privilege access level of 15, which would allow the attacker to gain control of that system.
Talos Intelligence has noted attackers using this access to install an implant on the affected device.
CVE-2023-20198 – Cisco IOS XE Software Web Management User Interface Vulnerability
This vulnerability affects Cisco IOS XE Software if the web UI feature is enabled.
Users may verify whether the Web UI is enabled by logging into the system and using the commands:
show running-config | include ip http server|secure|active
check for the presence of the ip http server command or the ip http security-server command in the global configuration. If either or both commands are present, the HTTP Server feature is enabled for this system.
(this only indicates that HTTP Server is enabled, not that you have been attacked)
There is no patch YET for this vulnerability. Cisco urges users to disable the HTTP Server feature on all internet-facing systems.
To disable, enter global configuration mode and use the command(s):
Cisco Talos has provided the following command to check for the presence of the implant where systemip is the IP address of the system to check. This command should be issued from a workstation with access to the system in question: