Nearly 30,000 Cisco devices, including routers, switches and VPN solutions have been compromised in attacks exploiting a new zero-day vulnerability affecting IOS XE software. According to LeakIX, the majority of the infected devices are located in the US, followed by the Philippines, Chile and Mexico.
The flaw, tracked as CVE-2023-20198 resides in the web UI feature and can be exploited by a remote non-authenticated attacker via a specially crafted HTTP request sent to the affected device. The attacker then can create an account with privilege level 15 access. The vulnerability affects all IOS XE versions.
The vulnerability, which has been discovered by Cisco’s threat-hunting team while investigating customer complaints, has been under exploitation since September 2023. The company said it is working on the patch and has recommended customers disable the HTTP Server feature on all internet-facing systems. The vendor has also shared a simple technique to determine if an IOS XE device had been infected.
Security firm VulnCheck said it found thousands of backdoored devices. The company released a free scanner to detect malicious implants.
