Why Cisco IOS XE Attacks Are Setting Off Alarm Bells

The attack campaign is a rare example of an advanced attack done at a wide scale.


Cyberthreats targeting a specific vendor such as the latest attacks against Cisco customers are always a big concern. But the current campaign targeting Cisco IOS XE is even more so, given the widespread nature of the attacks.

“When there’s a threat and it is specifically targeted to a company like Cisco, that wakes people up,” said James Range, CEO of Dallas-based solution provider White Rock Cybersecurity.

[Related: Cisco IOS XE Vulnerability: Here’s What To Know]

Sponsored post

The Cisco IOS XE attacks appear to be the work of a sophisticated threat actor, which is surprising due to the scale of the attacks, according to VulnCheck CTO Jacob Baines.

The implant being delivered by the attacker “isn’t some off-the-shelf tool,” Baines said. “It’s customized to IOS XE.”

The fact that the attacker was capable of developing the implant and installing it broadly — using a zero-day vulnerability, no less — suggests this is the rare case of a “very sophisticated” threat actor doing its work “at scale,” he said.

Advanced attackers are typically associated with highly pinpointed attacks, Baines noted, rather than with widespread campaigns. “But not this time,” he said.

No Patch Yet

Cisco said in an advisory Monday that the previously unknown privilege escalation vulnerability has been seeing “active exploitation” by attackers. The vulnerability—which is tracked as CVE-2023-20198—has received the maximum severity rating, 10.0 out of 10.0, from Cisco.

Exploitation of the critical vulnerability can allow a malicious actor to acquire “full control of the compromised device and [allow] possible subsequent unauthorized activity,” Cisco’s Talos threat intelligence team said in a blog post.

A patch for the vulnerability was not available as of this writing. Cisco said in an update to its advisory Tuesday that an access restriction measure it has shared is an “effective mitigation” to exploits of the vulnerability in IOS XE, a widely used Cisco networking software platform.

In a blog post, Baines wrote that an internet scan by his exploit intelligence company, VulnCheck, revealed “thousands of implanted hosts.”

CRN reached out to Cisco for comment Tuesday.

A ‘Scary’ Situation

Baines, formerly a security researcher at cybersecurity vendors including Tenable and Rapid7, told CRN that the attacks can be expected to persist for some time.

Exposing the web interface to the internet is a “gross misconfiguration,” Baines said, adding that he suspects most victims have not done it intentionally.

Those types of organizations will likely be slow to learn about the vulnerability and their potential exposure, he said. It will probably take significant advocacy from the security community and national-level CERTs (Computer Emergency Readiness Teams) to “start getting this cleaned up,” Baines said.

At White Rock Cybersecurity, “I would venture to say that we’re going to get some calls in the next day or two about that from Cisco customers,” Range said.

When there’s a general threat where everybody is theoretically susceptible, it does not raise as much concern from customers as an attack targeted at a specific vendor, he noted. However, it prompts major anxiety “when you hear ‘Cisco’ or other vendors — and you happen to own it, and you’re running all your stuff off that.”

Compounding the concern is the fact that “the customer doesn’t always know, ‘How do I patch? Do I need to patch? What do I have left to do? Is there anything special I need to do?’” Range said. “It can be scary.”

‘Top Priority’ For Cisco

Cisco said in its advisory Monday that the critical vulnerability impacts the web user interface (UI) capability in IOS XE “when exposed to the internet or to untrusted networks.” The vulnerability can enable escalation of privileges by a remote user without authentication, Cisco said.

In a statement provided to CRN Monday, the tech giant said it is addressing the critical security issue “as a matter of top priority.”

“We are working non-stop to provide a software fix and we strongly urge customers to take immediate action as outlined in the security advisory,” Cisco said in the statement. “Cisco will provide an update on the status of our investigation through the security advisory.”

Cisco has not provided the list of devices affected, meaning that any switch, router or WLC (Wireless LAN Controller) that’s running IOS XE and has the web UI exposed to the internet is vulnerable, according to Mayuresh Dani, manager of threat research at cybersecurity firm Qualys.

Based on research using the Shodan search engine, there are about 40,000 Cisco devices that have their web UI exposed to the internet, Dani said.