US networking giant Cisco has warned that hackers are targeting a previously unknown vulnerability (so-called zero-day) in its IOS XE software.

The said zero-day flaw, tracked as CVE-2023-20198, resides in the web UI feature and can be exploited by a remote non-authenticated attacker via a specially crafted HTTP request sent to the affected device. The attacker then can create an account with privilege level 15 access. The vulnerability affects all IOS XE versions.

“Cisco is aware of active exploitation of a previously unknown vulnerability in the web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks,” the company said.

The vendor has yet to release a software patch to address the flaw. In the meantime, Cisco recommends that customers disable the HTTP Server feature on all internet-facing systems using the 'no ip http server' or 'no ip http secure-server' command in global configuration mode. If both the HTTP server and HTTPS server are in use, both commands are required to disable the HTTP Server feature.

According to a report from Cisco’s Talos team, first evidence of the CVE-2023-20198 exploitation was observed in September 2023, when the researchers discovered a rogue local user account on a customer device.

“On October 12, Cisco Talos Incident Response (Talos IR) and TAC detected what we later determined to be an additional cluster of related activity that began on that same day. In this cluster, an unauthorized user was observed creating a local user account under the name “cisco_support” from a second suspicious IP address (154.53.56[.]231),” the team said. “Unlike the September case, this October activity included several subsequent actions, including the deployment of an implant consisting of a configuration file (“cisco_service.conf”).”

The configuration file defined the new web server endpoint used to interact with the implant. That endpoint received the parameters that allowed the actor to execute arbitrary commands at the system level or IOS level.

“For the implant to become active, the web server must be restarted; in at least one observed case the server was not restarted so the implant never became active despite being installed,” Cisco noted.

At the beginning of October, Cisco issued security updates to fix a Cisco Emergency Responder (CER) backdoor (CVE-2023-20101) that lets attackers log into unpatched systems using hard-coded credentials.