Cisco IOS XE Vulnerability: Here’s What To Know

The actively exploited vulnerability impacts any switch or router running IOS XE and has the web interface exposed to the internet, a threat researcher tells CRN.


The latest zero-day vulnerability in Cisco IOS XE impacts many of the company’s switches and routers, according to a threat researcher.

Cisco disclosed the new vulnerability in IOS XE on Monday and said that it is seeing “active exploitation” by attackers.

[Related: ‘Critical’ Fortinet Firewall Vulnerability Proves A Lingering Issue: Researchers]

Sponsored post

The vulnerability has received the maximum severity rating, 10.0 out of 10.0, from Cisco.

Here’s what to know about about the critical Cisco IOS XE vulnerability.

Privilege Escalation Risk

Cisco said in an advisory Monday that the previously unknown vulnerability impacts the web user interface (UI) capability in IOS XE, a widely used Cisco networking software platform, “when exposed to the internet or to untrusted networks.”

The critical vulnerability can enable escalation of privileges by a remote user without authentication, Cisco said.

Exploitation of the vulnerability—which is tracked as CVE-2023-20198—can allow a malicious actor “to create an account on the affected device with privilege level 15 access,” Cisco’s Talos threat intelligence team said in a blog post. Doing so equates to “effectively granting them full control of the compromised device and allowing possible subsequent unauthorized activity,” the Talos blog said.

No Patch Yet

A patch for the vulnerability was not available as of this writing.

In lieu of a patch, is Cisco “strongly” recommending that customers disable the HTTP Server feature for all of its internet-facing systems.

Organizations should utilize the time they have until a patch is issued to make sure they have an automated, effective patching system in place, said John Gallagher, vice president of Viakoo Labs at IoT security firm Viakoo, in an email to CRN.

Cisco Working ‘Non-Stop’ To Fix

In a statement provided to CRN, the tech giant said it is addressing the critical security issue “as a matter of top priority.”

“We are working non-stop to provide a software fix and we strongly urge customers to take immediate action as outlined in the security advisory,” Cisco said in a statement provided to CRN Monday. “Cisco will provide an update on the status of our investigation through the security advisory.”

Actively Exploited

Cisco is “aware of active exploitation of this vulnerability,” the company said in its advisory Monday.

The Cisco Talos team said that it discovered initial evidence pointing to malicious activity on Sept. 28. “Upon further investigation, we observed what we have determined to be related activity as early as Sept. 18,” the Talos team said in its post.

Widespread Impact

Cisco has not provided the list of devices affected — meaning that any switch, router or WLC (Wireless LAN Controller) that’s running IOS XE and has the web UI exposed to the internet is vulnerable, said Mayuresh Dani, manager of threat research at cybersecurity firm Qualys, in an email to CRN.

Based on research using the Shodan search engine, there are about 40,000 Cisco devices that have web UI exposed to the internet, Dani said.

Notably, network devices have long been a sought-after target for nation-state actors focused on espionage, said John Bambenek, principal threat hunter at security analytics firm Netenrich, in an email to CRN.

This vulnerability gives such attackers an ideal tool to manipulate network traffic in a subtle fashion, Bambenek said.