On October 16, 2023, Cisco disclosed a critical privilege escalation vulnerability (CVE-2023-20198) that affects the web user interface (web UI) used in Cisco IOS XE software. Cisco observed this vulnerability being actively exploited since at least September 18. As of this publication, there is no patch available.
The issue impacts systems that are running Cisco IOS XE software with the HTTP or HTTPS Server feature enabled. Successful exploitation of the vulnerability can allow an unauthenticated remote attacker to create a local user account with privilege level 15 access, giving them full control of the device. In activity observed by Cisco researchers, a threat actor abused this access to deploy a malicious file to /usr/binos/conf/nginx-conf/cisco_service.conf, which gave them the ability to execute commands remotely. Attackers were observed creating local user accounts named “cisco_tac_admin” and “cisco_support”, but other recently created local user accounts should be considered suspicious.
Our Security Partner (Secureworks Counter Threat Unit researchers) recommend that customers review the Cisco advisory and apply the mitigation guidance as appropriate in their environments. Cisco published indicators to help customers determine if a system has been compromised.
If you have any questions or concerns about this advisory, please contact us via our support desk – firstname.lastname@example.org