Cisco IOS XE Web UI actively exploited
Updated: 10:00am, 24 October 2023 to include CVE-2023-20273 and new fixed versions.
Cisco has released an advisory for a critical vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software. The vulnerability tracked as CVE-2023-20198, allows a remote unauthenticated attacker to create an account on an affected system. Another vulnerability tracked as CVE-2023-20273 can then be used to gain full control of the device. Cisco has reported that these vulnerabilities are being actively exploited.
What to look for
How to tell if you're at risk
The vulnerability affects Cisco IOS XE software that has the web UI feature enabled. The web UI feature is enabled through the 'ip http server' or 'ip http secure-server' commands outlined in the vendor advisory.
How to tell if you're affected
You can check for the following indicators of compromise / detections as outlined in the vendor advisory:
- new or unexplained users on devices such as 'cisco_tac_admin' or 'cisco_support'
- new or unexplained filenames in the system logs
- presence of an implant as outlined in the vendor advisory
- check for connections to IP addresses 5.149.249[.]74 or 154.53.56[.]231
- Snort rules outlined in the vendor advisory
What to do
Upgrade your devices running Cisco IOS XE to these latest versions as soon as possible:
Cisco has announced these further fixed updates, which are yet to be released:
- 16.12.10a (Catalyst 3650 and 3850 only).
Disable the HTTP Server feature on Cisco IOS XE particularly on internet facing systems as outlined in the vendor advisory.
If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.
For media enquiries, email our media desk at firstname.lastname@example.org or call the CERT NZ media team on 027 816 035.
Received an alert or advisory from both CERT NZ and NCSC? At present, we use both brands and a range of distribution mechanisms to ensure everyone continues to receive the information they need. Behind the scenes, our teams continue to work together to share insights and align our guidance.