On October 16, 2023, Cisco reported that a critical, 0-day privilege escalation vulnerability in the web UI interface of routers, switches and wireless controllers running IOS XE are being remotely exploited to gain privileged access. Open source is reporting that thousands of online, vulnerable devices have been compromised. This Alert is being published to raise awareness of this activity, highlight the potential impact to organizations and to provide guidance for organizations who may be impacted by this malicious activity.
UpdatesOn October 20, 2023 Cisco also updated their advisory highlighting an additional vulnerability that was exploited by malicious actors. After successfully exploiting CVE-2023-20198 to gain initial access on vulnerable devices, threat actors were observed exploiting CVE-2023-20273 to elevate their privileges in order to write a backdoor to the device.
On October 22, 2023 Cisco updated their advisory to indicate that the first updates are now available for some versions of IOS XE software. Cisco has also published a Software Fix to aid in the identification of affected products and the date when the images will be available for download.
On October 23, Cisco Talos updated their blog post to advise that an updated version of the backdoor, which now includes a preliminary check of the HTTP Authorization header, has been observed. Talos speculates that this header check functionality has likely been added as a reactive measure to hinder the ability to identify affected devices.
This updated backdoor shares most of its core functionality with the original backdoor and Talos believes it has been in use since October 20. To assist in the detection of the new backdoor, Talos has updated their blog with additional guidance to help detect the presence of either variants.
Suggested Action