Skip to content

Actively exploited Cisco zero-day affects potentially 80000 devices

  • by
  • 3 min read

Cisco uncovered an actively exploited zero-day in the Web UI of its IOS XE software on September 28, allowing cybercriminals to gain full control over the network and potentially affecting over 80,000 devices.

The vulnerability, tracked as CVE-2023-20198 with a severity rating of 10, affects physical and virtual devices running Cisco IOS XE software with HTTP or HTTPS features enabled.

When the cybersecurity researchers further analysed the issue, it was revealed that the unusual activities had begun on September 18, almost two weeks prior. The activities involved the creation of local user accounts bearing suspicious usernames like ‘cisco_tac_admin’ from an IP address identified as 5.149.249[.]74.

These activities ceased on October 1, with no other associated behaviours observed by researchers then. Ars Technica reported that the vulnerability has affected around 80,000 devices.

On October 12, Cisco identified a new cluster of related activities, which started on the same day. In this campaign, an unauthorised user created another suspicious local user account named ‘cisco_support’ from a different suspicious IP address, 154.53.56[.]231.

Unlike the September case, the October activities extended beyond account creation. They involved deploying a configuration file known as ‘cisco_service.conf’, which could lead to the execution of arbitrary commands at the system or IOS level.

The malicious implant, stored under the file path ‘/usr/binos/conf/nginx-conf/cisco_service.conf’ doesn’t persist upon device reboots. However, the newly created local user accounts remain active, granting them level 15 privileges, equivalent to full administrator access. This means they can do whatever they want on the compromised device, including unauthorised access in the future.

Incident response. | Source: Cisco Talos

It is suspected that the same threat actor carried out both activities. The October incident appeared to build upon the earlier September activities, suggesting an initial testing phase followed by an expansion of malicious operations.

The newly discovered CVE-2023-20198 vulnerability has been rated with the highest Common Vulnerability Scoring System (CVSS), indicating a critical threat. Successful exploitation of this vulnerability could grant an attacker full administrator privileges, allowing them to take control of the affected router and potentially engage in unauthorised activities.

To install the implant, the attacker leveraged an existing vulnerability, CVE-2021-1425, even on devices that were fully patched against it. The implant, programmed in Lua, consists of 29 lines of code that facilitate arbitrary command execution through HTTP POST requests.

Cisco has urged the affected organisations to follow the guidance provided by Cisco’s Product Security Incident Response Team (PSIRT) advisory. Researchers have also advised organisations to check for unexplained or new user accounts on their devices, which could indicate malicious activity.

Cisco has also worked to provide Snort coverage, enabling organisations to detect and mitigate this threat effectively.

Further, Cisco recommends disabling the HTTP/S server feature on internet-facing systems, aligning with the best practices and government guidelines to mitigate risks from exposed management interfaces.

In the News: Threat actors exploit Discord’s CDN to distribute Lumma Stealer

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: