More Than 34,000 Cisco Devices Compromised Via IOS XE Vulnerability: Researchers

The finding came from Orange’s CERT (Computer Emergency Readiness Team) and came days after a zero-day vulnerability impacting Cisco IOS XE was disclosed.


More than 34,000 Cisco devices have been compromised through exploits of a critical IOS XE vulnerability discovered earlier this week, according to researchers.

The researchers with Orange’s CERT (Computer Emergency Readiness Team) disclosed the finding Wednesday on X, the platform formerly known as Twitter. Telecommunications operator Orange runs what it calls the “first private CERT in Europe” through its Orange Cyberdefense unit.

[Related: Why Cisco IOS XE Attacks Are Setting Off Alarm Bells]

Sponsored post

“We discovered over 34.5K #Cisco IOS XE IPs compromised by #CVE-2023-20198 with implants based on the check published by TALOS,” Orange’s CERT team wrote in the post on X.

The finding suggests a wider scope of impact for the attacks against Cisco customers, via the zero-day vulnerability in IOS XE, than was previously understood. Earlier findings had suggested “thousands” of Cisco devices were compromised in the attacks.

CRN has reached out to Cisco for comment.

Cisco said in an advisory Monday that the previously unknown privilege escalation vulnerability has been seeing “active exploitation” by attackers. The vulnerability—which is tracked as CVE-2023-20198—has received the maximum severity rating, 10.0 out of 10.0, from Cisco.

Exploitation of the critical vulnerability can allow a malicious actor to acquire “full control of the compromised device and [allow] possible subsequent unauthorized activity,” Cisco’s Talos threat intelligence team said in a blog post.

A patch for the vulnerability was not available as of this writing. Cisco said in an update to its advisory Tuesday that an access restriction measure it has shared is an “effective mitigation” to exploits of the vulnerability in IOS XE, a widely used Cisco networking software platform.

Cisco said in its advisory Monday that the critical vulnerability impacts the web user interface (UI) capability in IOS XE “when exposed to the internet or to untrusted networks.” The vulnerability can enable escalation of privileges by a remote user without authentication, Cisco said.

In a statement provided to CRN Monday, the tech giant said it is addressing the critical security issue “as a matter of top priority.”

“We are working non-stop to provide a software fix and we strongly urge customers to take immediate action as outlined in the security advisory,” Cisco said in the statement. “Cisco will provide an update on the status of our investigation through the security advisory.”

Cisco has not provided the list of devices affected, meaning that any switch, router or WLC (Wireless LAN Controller) that’s running IOS XE and has the web UI exposed to the internet is vulnerable, according to Mayuresh Dani, manager of threat research at cybersecurity firm Qualys.

The Cisco IOS XE attacks appear to be the work of a sophisticated threat actor, which is surprising due to the scale of the attacks, according to VulnCheck CTO Jacob Baines.

The implant being delivered by the attacker “isn’t some off-the-shelf tool,” Baines said. “It’s customized to IOS XE.”

The fact that the attacker was capable of developing the implant and installing it broadly — using a zero-day vulnerability, no less — suggests this is the rare case of a “very sophisticated” threat actor doing its work “at scale,” he said.

Advanced attackers are typically associated with highly pinpointed attacks, Baines noted, rather than with widespread campaigns. “But not this time,” he said.

James Range, CEO of Dallas-based solution provider White Rock Cybersecurity, told CRN that when there’s a general threat where everybody is theoretically susceptible, it does not raise as much concern from customers as an attack targeted at a specific vendor. However, it prompts major anxiety “when you hear ‘Cisco’ or other vendors — and you happen to own it, and you’re running all your stuff off that.”