Cisco IOS XE Attacks Point To Rising Cyberthreats At The Edge

With tens of thousands of Cisco devices now believed to have been compromised, experts tell CRN that it’s among the biggest edge attacks to date.


Malicious actors seeking to break into corporate networks are finding the edge an increasingly appealing target, as underscored by the widespread attacks exploiting Cisco IOS XE devices this week.

Researchers suggest nearly 42,000 Cisco devices running the IOS XE operating system have been compromised so far through exploits of a zero-day vulnerability that was disclosed Monday. “Of edge attacks, this is one of if not the most significant,” said John Gallagher, vice president of Viakoo Labs at IoT security firm Viakoo.

[Related: Why Cisco IOS XE Attacks Are Setting Off Alarm Bells]

Sponsored post

There’s no patch available for the critical vulnerability that’s being exploited in the attacks, although Cisco has provided mitigations that it’s said are effective at thwarting the compromises.

The IOS XE networking software platform is utilized by a multitude of Cisco devices, many of which are commonly deployed in edge environments. Those include branch routers, industrial routers and aggregation routers, as well as Catalyst 9100 access points and “IoT-ready” Catalyst 9800 wireless controllers.

Beyond The Data Center

Edge attacks have been on the rise as threat actors continue to seek the path of least resistance, Gallagher told CRN.

At this point, “data center security is quite good. And so therefore, it leads [attackers] to say, ‘OK, what are the soft underbellies that maybe are not well-protected?’” he said. “And that, I think, has directly led people over the last number of years to the edge.”

Part of the reason that edge networks are perceived as more vulnerable is that with a lot of equipment deployed outside the data center, there is often a “set it and forget it” mentality, Gallagher said.

Certainly, it is possible to protect edge environments if that is prioritized by the network managers, he noted. “It really comes down to who’s managing it and how it’s managed,” Gallagher said.

‘Not A Sound Practice’

It’s telling that with the current spate of compromised IOS XE devices, the devices were only vulnerable because they were exposed to the web, said Bill Suarez, CISO at Southwick, Mass.-based solution provider Whalley Computer Associates.

“Certainly we would never advise any of our customers to deploy an outer edge switch and have a web server turned on. We just wouldn’t do it,” Suarez told CRN. “That’s just not a sound network security practice in our view.”

Attackers, however, are clearly exploiting the fact that these decisions are being made by the managers responsible for many edge environments, he said.

“They’re taking advantage of the fact that people either don’t know the right thing to do from a design standpoint or are putting too much faith in the vendor—that the vendor is producing rock-solid code. But that’s just an unrealistic expectation in today’s world,” Suarez said.

Incidents such as this are “part of the reason why I’m a firm believer in having an edge firewall in addition to a core firewall,” he said. Deploying an edge firewall creates an “outer barrier” to head off this type of attack, Suarez said.

Device Takeover Threat

Researchers at cybersecurity firm Censys said Wednesday that the tally of compromised IOS XE devices climbed by 8,000 in a single day to a total of 41,983.

In response to a CRN inquiry Wednesday, Cisco said it did not have any new information to share.

Cisco said in an advisory Monday that the zero-day privilege escalation vulnerability—which is tracked as CVE-2023-20198—warrants the maximum severity rating, 10.0 out of 10.0.

Exploitation of the critical vulnerability can allow a malicious actor to acquire “full control of the compromised device and [allow] possible subsequent unauthorized activity,” Cisco’s Talos threat intelligence team said in a blog post Monday.

Cisco’s advisory Monday indicated that the vulnerability impacts the web user interface (UI) capability in IOS XE when it’s exposed to the web, or to an untrusted network. The flaw can enable escalation of privileges by a remote user without authentication, Cisco said.

Cisco said in an update to its advisory Tuesday that an access restriction measure it has shared is effective at stopping exploits of the vulnerability in IOS XE.

The tech giant has said it is addressing the critical security issue “as a matter of top priority.”

“We are working non-stop to provide a software fix and we strongly urge customers to take immediate action as outlined in the security advisory,” Cisco said in a statement to CRN Monday.