Cisco IOS XE Web UI actively exploited

Our advisories highlight current cyber security threats and vulnerabilities in New Zealand, and provide guidance on how to mitigate their impact.

Subscribe to our updates to be notified as soon as we publish an advisory.

3:40am, 17 October 2023

TLP Rating: Clear

Cisco IOS XE Web UI actively exploited

Updated: 10:00am, 24 October 2023 to include CVE-2023-20273 and new  fixed versions. 

Cisco has released an advisory for a critical vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software. The vulnerability tracked as CVE-2023-20198, allows a remote unauthenticated attacker to create an account on an affected system. Another vulnerability tracked as CVE-2023-20273 can then be used to gain full control of the device. Cisco has reported that these vulnerabilities are being actively exploited.

What to look for

How to tell if you're at risk

The vulnerability affects Cisco IOS XE software that has the web UI feature enabled. The web UI feature is enabled through the 'ip http server' or 'ip http secure-server' commands outlined in the vendor advisory.

How to tell if you're affected

You can check for the following indicators of compromise / detections as outlined in the vendor advisory:

  • new or unexplained users on devices such as 'cisco_tac_admin' or 'cisco_support'
  • new or unexplained filenames in the system logs
  • presence of an implant as outlined in the vendor advisory
  • check for connections to IP addresses 5.149.249[.]74 or 154.53.56[.]231
  • Snort rules outlined in the vendor advisory

What to do

Prevention

Upgrade your devices running Cisco IOS XE to these latest versions as soon as possible:

  • 17.9.4a

Cisco has announced these further fixed updates, which are yet to be released:

  • 17.6.6a
  • 17.3.8a
  • 16.12.10a (Catalyst 3650 and 3850 only).

 

Mitigation

Disable the HTTP Server feature on Cisco IOS XE particularly on internet facing systems as outlined in the vendor advisory.

More information

Vendor advisory – Cisco IOS XE Software Web UI Privilege Escalation Vulnerability External Link

If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.

Report an incident to CERT NZ

For media enquiries, email our media desk at certmedia@cert.govt.nz or call on 021 854 384

Received an alert or advisory from both CERT NZ and NCSC? At present, we use both brands and a range of distribution mechanisms to ensure everyone continues to receive the information they need. Behind the scenes, our teams continue to work together to share insights and align our guidance.