Threat Actors Exploiting Cisco IOS XE Zero-day Vulnerability

Last Updated: October 21, 2023By

Threat Actors Actively Exploiting Cisco IOS XE Zero-day Vulnerability

Threat actors exploit zero-day vulnerabilities because these flaws are unknown to the software developers, making them highly effective for launching attacks. 

Exploiting zero-days allows malicious actors to bypass security measures and gain unauthorized access or control over systems, maximizing their chances of success.

A new Zero-day vulnerability (CVE-2023-20198) in Cisco IOS XE’s Web UI feature that affects devices with exposed HTTP/HTTPS Server functionality when connected to the internet or untrusted networks has been discovered by Cisco.

The web user interface (UI) is a graphical user interface (GUI) based system administration application that simplifies system management without the need for any additional installation or licensing. However, it is strongly advised against exposing the web UI to the internet or unreliable networks due to potential security risks.

Cisco IOS XE Zero-day Vulnerability

Cisco detected suspicious activity on a customer device starting September 18 and confirmed related behavior by September 28. 

This involved creating a ‘cisco_tac_admin’ account from an unusual IP address (5.149.249[.]74). The activity ceased on October 1, with no additional related behavior observed.


FREE Webinar

API security isn’t just a priority; it’s the lifeline of businesses and organizations. Yet, this interconnectivity brings with it an array of vulnerabilities that are often concealed beneath the surface.

Cisco Talos Incident Response (Talos IR) and TAC identified a related cluster of activity on October 12. An unauthorized user created a ‘cisco_support’ account from IP address 154.53.56[.]231. 

This activity included deploying an implant (‘cisco_service.conf’) to establish a new web server endpoint for command execution at the system or IOS level. The implant is not persistent but creates administrator-level user accounts.

CVE-2023-20198 has a critical CVSS score of 10, enabling full admin access and granting an attacker control over the router for possible unauthorized activities.

Using an unknown method, the actor exploited CVE-2021-1435 to install the implant, even on fully patched devices. The implant, coded in Lua with 29 lines, allows arbitrary command execution.

Flaw Profile

  • CVE ID: CVE-2023-20198
  • Advisory ID: cisco-sa-iosxe-webui-privesc-j22SaA4z
  • Description: Cisco IOS XE Software Web UI Privilege Escalation Vulnerability
  • First Published: 2023 October 16 15:00 GMT
  • Cisco Bug IDs: CSCwh87343
  • CVSS Score: Base 10.0
  • Severity: Critical


Organizations potentially affected should follow Cisco’s PSIRT guidance. Check for unusual users and run the following specified command (replace ‘DEVICEIP’ with the device’s IP) to detect the implant:-

  • curl -k -X POST “https[:]//DEVICEIP/webui/logoutconfirm.html?logon_hash=1”

This command checks for the implant’s presence in the Web UI. If it returns a hexadecimal string, the implant is present. 

Note that this only works if the web server is restarted. Snort coverage is available for CVE-2021-1435 and interactions with the implant.


  • 5.149.249[.]74 
  • 154.53.56[.]231 


  • cisco_tac_admin 
  • cisco_support 

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.

Source link

Leave A Comment