Cisco, a stalwart in the networking equipment domain, recently uncovered a critical security Flaw nestled within its IOS XE software. Tracked as CVE-2023-20198, this zero-day vulnerability emerges from the web UI feature and has attained the ominous maximum severity rating of 10.0 on the CVSS scoring system.

Impact and Scope

This vulnerability exclusively impacts enterprise networking gear where the Web UI feature is enabled and exposed to the internet or untrusted networks. Cisco Underscores that the flaw allows a remote, unauthenticated attacker to forge an account on the affected system with privileged level 15 access, ultimately commandeering control over the compromised system.

Mitigation Strategy

As a countermeasure, Cisco recommends disabling the HTTP server feature on systems facing the internet. This preventive step is pivotal, especially given that the flaw affects both physical and virtual devices running Cisco IOS XE software with the HTTP or HTTPS server feature enabled.

Unraveling the Exploitation Timeline

Cisco stumbled upon this issue after detecting malicious activity on a customer device, starting on September 18, 2023, where an authorized user created a suspicious local user account. The anomalous activity ceased on October 1, 2023. A subsequent cluster of incidents on October 12, 2023, involved an unauthorized user creating another local user account, leading to the deployment of a Lua-based implant for executing arbitrary commands.

Technical Details and Persistence

The implant’s installation exploits CVE-2021-1435, a previously patched flaw, and an unidentified mechanism, even in fully patched systems. Although the backdoor isn’t persistent through device reboots, the unauthorized privileged accounts persist, showcasing the tenacity of the intrusion

Attribution and CISA Response

While Cisco attributes both clusters of activities to the same threat actor, the origins of this malicious entity remain obscured. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory and added the flaw to the Known Exploited Vulnerabilities (KEV) catalog in response.

The backdrop of heightened cybersecurity concerns aligns with prior alerts from U.K. and U.S. intelligence agencies about state-sponsored campaigns targeting global network infrastructure. Cisco underscores the allure of route/switch devices to adversaries seeking both discreet access and intelligence capabilities in preferred networks.

The revelation of this security flaw underlines the perpetual cat-and-mouse game between cybersecurity defenders and threat actors, urging a collective and persistent effort to fortify digital ecosystems against evolving vulnerabilities.