Breaking: Exploitation of Unpatched Cisco Zero-Day Vulnerability

2 Mins Read

PureVPNNewsBreaking: Exploitation of Unpatched Cisco Zero-Day Vulnerability

Cisco has raised a red flag regarding an unpatched and actively exploited security flaw within its IOS XE software. Here are the main takeaways:

Key Points:

  • Vulnerability: CVE-2023-20198, rooted in the web UI feature of CISCO IOS XE software.
  • Severity: Rating of 10.0 on the Common Vulnerability Scoring System (CVSS).
  • Affected Systems: Impacts enterprise networking gear with the Web UI feature enabled, specifically when exposed to the internet or untrusted networks.
  • Exploitation: Create privileged accounts on affected systems, potentially leading to a complete takeover.

In-Depth Analysis:

Cisco disclosed that this security flaw allows remote, unauthenticated attackers to create an account on the targeted system with privilege level 15 access, essentially granting them complete control.

The affected systems encompass physical and virtual devices running Cisco IOS XE software featuring the HTTP or HTTPS server feature.

In response to this threat, Cisco recommends disabling the HTTP server feature on internet-facing systems as a mitigation measure.

How do we know that?

The revelation came after Cisco detected suspicious activity on an undisclosed customer’s device, starting as early as September 18, 2023. 

During this period, an authorized user created a local user account with the username “cisco_tac_admin” from an IP address with questionable origins. This activity ceased on October 1, 2023.

Later, a second wave of malicious activity occurred on October 12, 2023. An unauthorized user created another local user account under the name “cisco_support,” from a different IP address. 

This series of actions deployed a Lua-based implant, allowing the attacker to execute arbitrary commands at the system or IOS level.

The implant installation involves exploiting CVE-2021-1435, a previously patched flaw affecting the web UI of Cisco IOS XE Software. It also utilizes an unidentified mechanism in cases where the system is fully patched against CVE-2021-1435.

The key for this: Importantly, the web server must be restarted for the implant to activate. Sometimes, this restart was not initiated, rendering the implant inactive.

Recommendations 

While the exact origins of the threat actor remain unclear, Cisco suggests that the first cluster of activity was the actor’s initial testing phase, while the October activity indicates an expansion of their operation to establish persistent access via the implant.

The gravity of this situation has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue an advisory and include the vulnerability in the Known Exploited Vulnerabilities (KEV) catalog.

Call to Arms!

Be resourceful, have a defense, and learn from breaches. For sure! Vigilance wins over strength.

Stay secure, stay vigilant. 🔒

author

PureVPN

date

October 17, 2023

time

2 years ago

PureVPN is a leading VPN service provider that excels in providing easy solutions for online privacy and security. With 6000+ servers in 65+ countries, It helps consumers and businesses in keeping their online identity secured.

Related Stories

Arizona Sees Surge in VPN Demand After Age Verification Laws Take Effect

Arizona Sees Surge in VPN Demand After Age Verification Laws Take Effect
Posted on October 8, 2025
A Single Password Breach Shut Down a 158 Year Old Business

A Single Password Breach Shut Down a 158 Year Old Business
Posted on October 7, 2025
Nepal Social Media Ban: How to Access Facebook, Instagram, and YouTube Safely

Nepal Social Media Ban: How to Access Facebook, Instagram, and YouTube Safely
Posted on September 5, 2025

Have Your Say!!