Cisco has taken swift action to address two high-severity vulnerabilities that have been actively exploited in the wild to compromise vulnerable endpoints. The company has released the much-needed patch in version 17.9.4a and strongly advises IT administrators to apply it without delay to fortify their network security. The patch is available for download in the Cisco Software Download Center.
Critical Vulnerabilities Exploited
News recently emerged of malicious actors exploiting a critical vulnerability in specific Cisco devices, enabling them to gain full administrative control over entire networks. This vulnerability was discovered in the Web User Interface of Cisco IOS XE software that is connected to the public internet. As a result, any Cisco endpoint, including routers and switches, running this software with enabled HTTP and HTTPS Server features and connected to the internet, was susceptible to complete device takeover.
At the time, it was estimated that around 80,000 endpoints were impacted by this flaw, which is officially tracked as CVE-2023-20198, and carries a severity rating of 10, signifying its critical nature. The second vulnerability, tracked as CVE-2023-20273, holds a severity score of 7.2.
Exploitation Consequences
Exploiting these two vulnerabilities enables a threat actor to create an account with privilege level 15 access. This level of access grants the attacker complete control over the compromised device, providing the capability to install additional malware. The severity of this vulnerability prompted urgent action, with researchers from Talos strongly recommending affected entities to promptly follow the guidance outlined in Cisco’s PSIRT advisory.
Initial reports indicated that someone had been exploiting the flaw for approximately a month before its discovery, but the identity of the attacker and their targets remained undisclosed.
While initial assessments suggested that up to 80,000 endpoints were vulnerable, the number decreased over the following weekend to a few hundred. Cybersecurity experts from For-IT reported that the malicious code on thousands of devices had been modified to check for an Authorization HTTP header value before responding. A different analysis method revealed that nearly 40,000 devices were compromised.
