Cisco has updated its security advisory on the previously disclosed CVE-2023-20198 zero-day vulnerability affecting its IOS XE product to warn of a new critical bug that has been exploited to deploy a malicious LUA implant onto compromised devices.

Tracked as CVE-2023-20273, the new flaw resides in the web UI feature and allows a remote non-authenticated attacker to create an account with privilege level 15 access using a specially crafted HTTP request.

“The attacker first exploited CVE-2023-20198 to gain initial access and issued a privilege 15 command to create a local user and password combination. This allowed the user to log in with normal user access,” Cisco explained in the security alert. “The attacker then exploited another component of the web UI feature, leveraging the new local user to elevate privilege to root and write the implant to the file system.”

The company has also shared Indicators of Compromise associated with the cases of exploitation.

Additionally, the US Cybersecurity and Infrastructure Security Agency (CISA) released a guidance for addressing Cisco IOS XE Web UI flaws. The UK's National Cyber Security Centre (NCSC) has also issued an advisory to help organizations secure their systems.

Security researchers reported over the weekend that the number of infected Cisco IOS XE devices dropped from almost 42,000 to 1,200.