High Alert: Unraveling the CVE-2023-20198 Threat in Cisco IOS XE

Threat Overview – CVE-2023-20198

In October 2023, Cisco revealed a severe vulnerability, CVE-2023-20198, affecting the Web User Interface of Cisco IOS XE software. Critical due to its potential impact, this flaw poses a significant risk to devices with the HTTP/S Server feature enabled, allowing attackers to create high-privilege user accounts.

Campaign Overview

The exploitation of CVE-2023-20198 began in September 2023, with adversaries notably creating user accounts under suspicious names like “cisco_tac_admin” and “cisco_support”. These activities were traced to specific IP addresses, indicating targeted attacks. Furthermore, Cisco Talos uncovered an implant, deployed via “cisco_service.conf”, capable of executing arbitrary commands.

Technical Details

The vulnerability, classified as critical (CVSS score of 10), endangers both physical and virtual devices using Cisco IOS XE. The implant, written in Lua, allows attackers to execute commands at a high privilege level, though it is non-persistent and removed upon reboot. However, the created user accounts remain active, presenting an ongoing threat. The implant’s analysis revealed its capability for extensive control over compromised devices.

Taking Action Against CVE-2023-20198

In light of CVE-2023-20198’s severity, Cisco urgently advises disabling the HTTP/S Server feature on affected systems. Vigilance is key – monitoring for unauthorized user accounts and unusual system activity is crucial for early detection and response. For those looking to deepen their defensive strategies, Cyborg Security’s HUNTER Platform offers invaluable resources. Our free hunt packages, tailored to combat threats like CVE-2023-20198, provide actionable insights for enhanced security. Don’t have a HUNTER Community account yet?

Sign up for free today here and fortify your defenses against sophisticated cyber threats.

Join our newsletter

Follow Us

Discover More!