Zero-Day Alert: Thousands of Cisco IOS XE Systems Now Compromised

Just a day after Cisco disclosed CVE-2023-20198, it remains unpatched, and one vendor says a Shodan scan shows at least 10,000 Cisco devices with an implant for arbitrary code execution on them. The vendor meanwhile has updated the advisory with more mitigation steps.

A threat actor has already infected thousands of Internet exposed Cisco IOS XE devices with an implant for arbitrary code execution via an as-yet-unpatched maximum severity vulnerability in the operating system.
Cisco disclosed the flaw, identified
as CVE-2023-20198,
on Oct. 17, with a warning about
exploit activity in the wild
targeting the flaw. The bug, which has a severity rating of 10 out of 10 on the CVSS vulnerability-severity scale, is present in the Web UI component of IOS XE.
The company said it had observed an attacker using the vulnerability to gain administrator level privileges on IOS XE devices, and then, in an apparent patch bypass, abusing an older remote code execution (RCE) flaw from 2021 (
CVE-2021-1435
) to drop a Lua-language implant on affected systems.
Now, those attacks appear to have a global footprint.
Ciscos security advisory noted that the company had responded to reports of unusual activity tied to the flaw from multiple customers. But the actual scope of the infections appears to be a lot higher than what was apparent from the advisory.
Jacob Baines, CTO at VulnCheck says his company has fingerprinted at least 10,000 Cisco IOS XE systems with the implant on them — and thats from scanning just half of the affected devices that are visible on search engines such as Shodan and Censys.
From what we can tell, it doesnt not appear to be localized, Baines says. The IPs geolocate to a wide number of countries all over the globe.
Baines says its somewhat difficult to determine if the attacks are opportunistic or targeted. On the one hand, opportunistic attacks often involve threat actors using publicly available or researcher-developed proof-of-concept (PoC) exploits.
But thats not what has happened with the activity targeted at CVE-2023-20198 so far, he says. Not only did the attackers allegedly use a zero day — and perhaps a second patch bypass — but they also deployed a custom implant. That isnt opportunistic.
Yet at the same time, the sheer number of exploited systems suggests more of an indiscriminate approach, Baines says.
The fact that the compromised Cisco IOS XE systems all have the same implant suggests that one threat actor is behind the attacks. Because the initial auth-bypass vulnerability was — and still is unpatched —finding vulnerable targets is as simple as a Shodan query, Baines adds. Because Cisco has not made details of the vulnerability public yet, it is to ascertain how easy or not CVE-2023-20198 is to exploit, he notes.
Researchers at Detectify too on Oct. 17 reported observing what appears to be Internet-wide exploit activity targeting the Cisco zero-day vulnerability. But they believe the threat actor behind it is opportunistically hitting every affected system they can find. The attackers seem to be casting a wide net by attempting to exploit systems without a specific target in mind first, one researcher from the firm says. The approach appears to be to exploit everything first and then determine what is interesting. Detectifys researchers shared Baines assessment about affected systems being trivially easy to find via search engines like Shodan.
Detectifys team only verified a relatively limited number of systems as being infected while building a test for detecting the implant for customers, the researcher says. But it is conceivable that thousands of systems have the implant, the researcher adds.
Cisco has not yet released a patch for the zero-day threat. But the company has recommended that organizations with affected systems immediately disable the HTTPS Server feature on Internet-facing IOS XE devices. On Oct. 17, Cisco
updated its advisory
to note that controlling access to the HTTPS Server feature using access lists, works as well.
We assess with high confidence, based on further understanding of the exploit, that access lists applied to the HTTP Server feature to restrict access from untrusted hosts and networks are an effective mitigation, Cisco said. When implementing access controls for these services, organization need to be cognizant of what they are doing because of the potential for interruption of production services, the company cautioned.
Cisco did not respond to a Dark Reading question about the reports about thousands of systems having the implant via the new zero-day bug. But in an emailed statement the company said it is working non-stop to provide a software fix. In the meantime, customers should immediately implement the steps outlined in the security advisory, the statement reiterated.
Cisco has nothing more to share at this time but will provide an update on the status of our investigation through the security advisory. Please refer to the
security advisory
and Talos
blog
for additional details.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Zero-Day Alert: Thousands of Cisco IOS XE Systems Now Compromised