Cisco IOS XE Hack: Researchers Find Another ‘Sharp Increase’ In Affected Devices

One of the most serious network device attacks in recent memory continues to widen, according to Censys researchers.


Compromises of Cisco IOS XE devices jumped by 8,000 on Wednesday, bringing the total number of affected systems to nearly 42,000, according to the latest data from cybersecurity firm Censys.

There’s no patch available for the critical vulnerability that’s being exploited in the attacks, although Cisco has provided mitigations that it’s said are effective at thwarting the compromises. IOS XE is a widely used Cisco networking software platform, with estimates suggesting that more than 140,000 devices in total are potentially vulnerable.

[Related: Why Cisco IOS XE Attacks Are Setting Off Alarm Bells]

Sponsored post

Censys researchers had previously found 34,140 Cisco devices compromised, but on Wednesday said they had “found a sharp increase in infections” with the tally climbing to 41,983.

In response to a CRN inquiry Wednesday, Cisco said it did not have any new information to share.

Cisco said in an advisory Monday that the zero-day privilege escalation vulnerability—which is tracked as CVE-2023-20198—warrants the maximum severity rating, 10.0 out of 10.0.

Exploitation of the critical vulnerability can allow a malicious actor to acquire “full control of the compromised device and [allow] possible subsequent unauthorized activity,” Cisco’s Talos threat intelligence team said in a blog post Monday.

The attacks are one of the most serious network device hacks in recent memory, experts have said.

“The last few weeks have seen their fair share of potential sky-crumbling advisories,” Censys researchers said in a post. Those have included a vulnerability in Exim mail servers, “which amounted to much of nothing,” and an HTTP/2 attack that turned out to have a very narrow impact.

“But this time, Apollo, I think we have a problem,” the Censys researchers wrote, referring to the Cisco IOS XE vulnerability. “Attackers have already used this vulnerability to exploit tens of thousands of devices to gain access and install a backdoor.”

Cisco’s advisory Monday indicated that the vulnerability impacts the web user interface (UI) capability in IOS XE when it’s exposed to the web, or to an untrusted network. The flaw can enable escalation of privileges by a remote user without authentication, Cisco said.

Cisco said in an update to its advisory Tuesday that an access restriction measure it has shared is effective at stopping exploits of the vulnerability in IOS XE.

The tech giant has said it is addressing the critical security issue “as a matter of top priority.”

“We are working non-stop to provide a software fix and we strongly urge customers to take immediate action as outlined in the security advisory,” Cisco said in a statement to CRN Monday.

Cisco has not provided the list of devices affected, meaning that any switch, router or WLC (Wireless LAN Controller) that’s running IOS XE and has the web UI exposed to the internet is vulnerable, according to Mayuresh Dani, manager of threat research at cybersecurity firm Qualys.

The Cisco IOS XE attacks appear to be the work of a sophisticated threat actor, which is surprising due to the scale of the attacks, according to VulnCheck CTO Jacob Baines. The implant being delivered by the attacker is customized to IOS XE, he noted.

The fact that the attacker was capable of developing the implant—and installing it broadly using a zero-day vulnerability—suggests this is the rare case of a “very sophisticated” threat actor doing its work “at scale,” he said.