Cisco Discloses ‘Critical’ Zero-Day Vulnerability In IOS XE

The company says that the privilege escalation vulnerability is seeing ‘active exploitation.’

Cisco disclosed a zero-day vulnerability in IOS XE that has a critical severity rating and is seeing “active exploitation.”

The tech giant said in an advisory Monday that the previously unknown vulnerability impacts the web user interface (UI) capability in IOS XE, a widely used Cisco networking software platform, “when exposed to the internet or to untrusted networks.”

[Related: ‘Critical’ Fortinet Firewall Vulnerability Proves A Lingering Issue: Researchers]

The vulnerability has received the maximum severity rating, 10.0 out of 10.0, from Cisco. A patch for the issue was not available as of this writing.

“We are working non-stop to provide a software fix and we strongly urge customers to take immediate action as outlined in the security advisory,” Cisco said in a statement provided to CRN Monday. “Cisco will provide an update on the status of our investigation through the security advisory.”

The critical vulnerability can enable escalation of privileges by a remote user without authentication, Cisco said.

Exploitation of the vulnerability—which is tracked as CVE-2023-20198—can allow a malicious actor “to create an account on the affected device with privilege level 15 access,” Cisco’s Talos threat intelligence team said in a blog post. Doing so equates to “effectively granting them full control of the compromised device and allowing possible subsequent unauthorized activity,” the Talos blog said.

In lieu of a patch, is Cisco “strongly” recommending that customers disable the HTTP Server feature for all of its internet-facing systems.

The Cisco Talos team said that it discovered initial evidence pointing to malicious activity on Sept. 28. “Upon further investigation, we observed what we have determined to be related activity as early as Sept. 18,” the Talos team said in its post.