Headline
Cisco Web UI Vulnerability Exploited Massly, Impacting Over 40K Devices
By Deeba Ahmed It is unclear how long Cisco will take to release a patch. This is a post from HackRead.com Read the original post: Cisco Web UI Vulnerability Exploited Massly, Impacting Over 40K Devices
The US had the most compromised devices (4,659) with a backdoor installed as a result of the Cisco Web UI vulnerability followed by the Philippines (over 3,200).
****KEY FINDINGS****
Cisco released a security advisory on October 16 to warn users about a critical zero-day privilege escalation vulnerability in its IOS XE Web UI software.
As per Censys, the company tracking the vulnerability, by October 18 the number of infections had increased from the previously reported 34,140 to 41,983 hosts, while 34,140 had backdoor installed
It is tracked as CVE-2023-20198 and has been used to exploit tens of thousands of devices.
The US had the highest number of compromised devices followed by the Philippines.
A critical cybersecurity threat disclosed by Cisco has resulted in mass exploitation of its devices, with the number of impacted systems surpassing 40,000 hosts worldwide. Nonprofit security group Shadowserver has detected over 32,800 devices compromised so far.
On the other hand, Censys has been tracking this vulnerability and in its blog post, the company explained that due to active exploitation of this security flaw tens of thousands of devices could be affected.
The company scanned the impacted Cisco devices and found that most belonged to telecom firms offering internet services to business and home users, including AT&T. The US had the highest number of compromised devices with a backdoor installed (4,659) followed by the Philippines (over 3,200).
Hackread.com had reported that the vulnerability, tracked as CVE-2023-20198, was discovered in the Cisco IOS XE software’s Web UI feature. Cisco warned customers about the vulnerability affecting Cisco RV320 and RV325 routers, explaining that it allows a remote unauthorized attacker to create an account on the compromised system with privilege level 15 access and go on to gain full control of the device.
The vulnerability affects the IOS XE Software Web UI feature because it is enabled by default in the devices. Cisco recommends users disable the HTTP server feature on every internet-connected system to prevent exploitation. Attackers exploiting this flaw are hijacking routers from telecom firms. Cisco has confirmed that since at least mid-September, threat actors have been exploiting it as a zero-day.
The vulnerability was first discovered in March 2023, and an uptick in attacks exploiting it was observed from mid-September. Moreover, a highly sophisticated actor is suspected to be exploiting it, which hints at the launch of a targeted and coordinated campaign while Cisco is still working on a patch to fix it.
In its threat advisory published on October 16th, 2023, Cisco stated that the actor exploited the old, already patched vulnerability (CVE-2021-1435) to install the implant after obtaining access to the device.
“We have also seen devices fully patched against CVE-2021-1435 getting the implant successfully installed through an as-of-yet undetermined mechanism.”
CISCO
It is a serious security threat as the vulnerability has the highest criticality score of 10. The IOS XE software is an essential component of Cisco switches, wireless controller products, and routers. The vulnerability is critical enough to enable a complete takeover of Cisco devices, granting threat actors the ability to effortlessly monitor network traffic or present phishing pages loaded with harmful malware.
Reportedly, 469 of the compromised devices were registered at AT&T for residential and business clients. The company uses enterprise-grade Cisco XE routers, so small-sized organizations and individuals would likely be vulnerable to this threat instead of large corporations.
The risks posed by the vulnerability are wide-ranging, as attackers can leverage access to compromised devices to disrupt network operations, steal sensitive data, and launch new attacks against other systems on the network.
It is unclear how long Cisco will take to release a patch. Meanwhile, users must scan their devices for infection and disable the HTTP server feature, implement network segmentation, and monitor network traffic for suspicious activity.
****RELATED ARTICLES****
- Cisco’s new tool will detect malware in encrypted traffic
- New 19 CISA Advisories Highlight Vulnerabilities in Top ICS Products
- New Akira Ransomware Targets Businesses via Exploited CISCO VPNs
- Ex-employee hacked Cisco’s AWS Infrastructure; erased virtual machines
- Unpatched Cisco Catalyst SD-WAN Manager Systems Exposed to DoS Attacks
Related news
This Metasploit module leverages both CVE-2023-20198 and CVE-2023-20273 against vulnerable instances of Cisco IOS XE devices which have the web UI exposed. An attacker can execute a payload with root privileges. The vulnerable IOS XE versions are 16.1.1, 16.1.2, 16.1.3, 16.2.1, 16.2.2, 16.3.1, 16.3.2, 16.3.3, 16.3.1a, 16.3.4, 16.3.5, 16.3.5b, 16.3.6, 16.3.7, 16.3.8, 16.3.9, 16.3.10, 16.3.11, 16.4.1, 16.4.2, 16.4.3, 16.5.1, 16.5.1a, 16.5.1b, 16.5.2, 16.5.3, 16.6.1, 16.6.2, 16.6.3, 16.6.4, 16.6.5, 16.6.4s, 16.6.4a, 16.6.5a, 16.6.6, 16.6.5b, 16.6.7, 16.6.7a, 16.6.8, 16.6.9, 16.6.10, 16.7.1, 16.7.1a, 16.7.1b, 16.7.2, 16.7.3, 16.7.4, 16.8.1, 16.8.1a, 16.8.1b, 16.8.1s, 16.8.1c, 16.8.1d, 16.8.2, 16.8.1e, 16.8.3, 16.9.1, 16.9.2, 16.9.1a, 16.9.1b, 16.9.1s, 16.9.1c, 16.9.1d, 16.9.3, 16.9.2a, 16.9.2s, 16.9.3h, 16.9.4, 16.9.3s, 16.9.3a, 16.9.4c, 16.9.5, 16.9.5f, 16.9.6, 16.9.7, 16.9.8, 16.9.8a, 16.9.8b, 16.9.8c, 16.10.1, 16.10.1a, 16.10.1b, 16.10.1s, 16.10.1c, 16.10.1e, 16.10.1d, 16.10.2, 16.10.1f...
Plus: Major vulnerability fixes are now available for a number of enterprise giants, including Cisco, VMWare, Citrix, and SAP.
The backdoor implanted on Cisco devices by exploiting a pair of zero-day flaws in IOS XE software has been modified by the threat actor so as to escape visibility via previous fingerprinting methods. "Investigated network traffic to a compromised device has shown that the threat actor has upgraded the implant to do an extra header check," NCC Group's Fox-IT team said. "Thus, for a lot of devices
A seemingly sharp drop in the number of compromised Cisco IOS XE devices visible on the Internet led to a flurry of speculation over the weekend — but it turns out the malicious implants were just hiding.
Cisco has warned of a new zero-day flaw in IOS XE that has been actively exploited by an unknown threat actor to deploy a malicious Lua-based implant on susceptible devices. Tracked as CVE-2023-20273 (CVSS score: 7.2), the issue relates to a privilege escalation flaw in the web UI feature and is said to have been used alongside CVE-2023-20198 as part of an exploit chain. "The attacker first
A patch for the max severity zero-day bug tracked as CVE-2023-20198 is coming soon, but the bug has already led to the compromise of tens of thousands of Cisco devices. And now, there's a new unpatched threat.
Taking a “Security Action” of any kind — whether it be simply enabling multi-factor authentication for your online banking login or marking that weird email as spam — can go a long way toward you and any organizations you’re a part of be more security resilient.
Categories: Exploits and vulnerabilities Categories: News Tags: Cisco Tags: IOS X Tags: remote management Tags: vulnerability Tags: CVE-2023-20198 Tags: webUI Tags: http server Tags: http secure-server Researchers have found that a recently disclosed vulnerability in Cisco IOS XE has already rendered thousands of compromised devices. (Read more...) The post Cisco IOS XE vulnerability widely exploited in the wild appeared first on Malwarebytes Labs.
Just a day after Cisco disclosed CVE-2023-20198, it remains unpatched, and one vendor says a Shodan scan shows at least 10,000 Cisco devices with an implant for arbitrary code execution on them. The vendor meanwhile has updated the advisory with more mitigation steps.
Cisco has warned of a critical, unpatched security flaw impacting IOS XE software that’s under active exploitation in the wild. Rooted in the web UI feature, the zero-day vulnerability is assigned as CVE-2023-20198 and has been assigned the maximum severity rating of 10.0 on the CVSS scoring system. It’s worth pointing out that the shortcoming only affects enterprise networking gear that have
Cisco has warned of a critical, unpatched security flaw impacting IOS XE software that’s under active exploitation in the wild. Rooted in the web UI feature, the zero-day vulnerability is assigned as CVE-2023-20198 and has been assigned the maximum severity rating of 10.0 on the CVSS scoring system. It’s worth pointing out that the shortcoming only affects enterprise networking gear that have
By Waqas Another day, another critical vulnerability hits Cisco! This is a post from HackRead.com Read the original post: New Cisco Web UI Vulnerability Exploited by Attackers
No patch or workaround is currently available for the maximum severity flaw, which allows attackers to gain complete administrator privilege on affected devices remotely and without authentication.
Cisco is aware of active exploitation of a previously unknown vulnerability in the web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks. This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system. For steps to close the attack vector for this vulnerability, see the Recommendations section of this advisory Cisco will provide updates on the status of this investigation and when a software patch is available.
Cisco has identified active exploitation of a previously unknown vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software (CVE-2023-20198) when exposed to the internet or untrusted networks.
Cisco has identified active exploitation of a previously unknown vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software (CVE-2023-20198) when exposed to the internet or untrusted networks.