Hackers are exploiting a critical vulnerability in some Cisco devices to gain full admin control of entire networks, the company has revealed..
In a security advisory from its Talos research team, the company urged users to apply the newly released patch without hesitation.
The vulnerability is found in the Web User Interface of Cisco IOS XE software connected to the public internet. So, whatever Cisco endpoint (routers, switches, etc.) that runs the software, has HTTP and HTTPS Server features enabled, and is connected to the internet, is vulnerable to full device takeover. Ars Technica reports that some 80,000 endpoints are currently affected by the flaw, which is now tracked as CVE-2023-20198, and carries a severity rating of 10.
Dropping malware
“Successful exploitation of this vulnerability allows an attacker to create an account on the affected device with privilege level 15 access, effectively granting them full control of the compromised device and allowing possible subsequent unauthorized activity,” Cisco Talos said in its advisory. “This is a critical vulnerability, and we strongly recommend affected entities immediately implement the steps outlined in Cisco’s PSIRT advisory.”
Allegedly, someone’s been exploiting the flaw for a month now, at least. We don’t know who, or against whom. What we do know is that the attackers were using the flaw to drop a piece of malware that runs once the web server restarts. The malware is also unable to survive a reboot, but the local user account will remain active, allowing the attackers to repeat the process if necessary. As per Ars Technica, the flaw is “relatively easy to exploit” and allows attackers to run all kinds of malicious operations.
Besides installing the patch, another way to make sure your devices are safe is to never have HTTP and HTTPS Server features enabled on internet-facing systems.
