Cisco IOS XE Devices Have Been ‘Widely Exploited:’ Researcher

A critical vulnerability in Cisco IOS XE has enabled malicious implants on ‘thousands’ of systems, according to the CTO of exploit intelligence company VulnCheck.


Thousands of Cisco IOS XE devices have been compromised so far through exploits of a critical vulnerability in the systems, a researcher said.

Meanwhile, Cisco updated its advisory Tuesday to say it now has “high confidence” that a mitigation measure it has shared will be effective at preventing exploits of the vulnerability in IOS XE, a widely used networking software platform.

[Related: Cisco IOS XE Vulnerability: Here’s What To Know]

Sponsored post

“We assess with high confidence, based on further understanding of the exploit, that access lists applied to the HTTP Server feature to restrict access from untrusted hosts and networks are an effective mitigation,” Cisco said in the update to its advisory.

Cisco said in the initial advisory Monday that the vulnerability—which is tracked as CVE-2023-20198—has been seeing “active exploitation” by attackers. The vulnerability has received the maximum severity rating, 10.0 out of 10.0, from Cisco.

Cisco has not provided the list of devices affected, meaning that any switch, router or WLC (Wireless LAN Controller) that’s running IOS XE and has the web user interface (UI) exposed to the internet is vulnerable, according to Mayuresh Dani, manager of threat research at cybersecurity firm Qualys.

A significant number of Cisco IOS XE systems have already been impacted, according to a post from Jacob Baines, CTO at exploit intelligence company VulnCheck.

The critical vulnerability “appears to have been widely exploited to install implants on Cisco IOS XE systems,” Baines wrote in the post.

Cisco said in its advisory Monday that the previously unknown vulnerability impacts the web UI capability in IOS XE “when exposed to the internet or to untrusted networks.” The vulnerability can enable escalation of privileges by a remote user without authentication, Cisco said.

Exploitation of the vulnerability can allow a malicious actor to acquire “full control of the compromised device and [allow] possible subsequent unauthorized activity,” Cisco’s Talos threat intelligence team said in a blog post.

‘Bad Situation’

In the VulnCheck post, Baines wrote that an internet scan revealed “thousands of implanted hosts.”

“This is a bad situation, as privileged access on the IOS XE likely allows attackers to monitor network traffic, pivot into protected networks, and perform any number of man-in-the-middle attacks,” he wrote.

CRN reached out to Cisco for comment Tuesday.

A patch for the vulnerability was not available as of this writing.

In lieu of a patch, Cisco has been recommending that customers disable the HTTP Server feature for all of its internet-facing systems.

In a statement provided to CRN Monday, the tech giant said it is addressing the critical security issue “as a matter of top priority.”

“We are working non-stop to provide a software fix and we strongly urge customers to take immediate action as outlined in the security advisory,” Cisco said in the statement. “Cisco will provide an update on the status of our investigation through the security advisory.”

The Cisco Talos team said that it discovered initial evidence pointing to malicious activity on Sept. 28. “Upon further investigation, we observed what we have determined to be related activity as early as Sept. 18,” the Talos team said in its post.