Patch/Configuration Management, Endpoint/Device Security, Security Staff Acquisition & Development

Thousands of devices exposed to critical Cisco IOS XE software bug

A sign with the Cisco logo is seen outside of a building

More news has come out in the last 24 hours about the exposure security teams face to a critical vulnerability that can let attackers take full control of the Web User Interface (Web UI) feature in internet-exposed Cisco devices running the networking vendor's IOS XE software.

Patrice Auffret, CEO and CTO of ONYPHE said on Tuesday that they refreshed their data and saw 74,000 devices exposing the WebUI on the Internet. Auffret said the CVE-2023-20198 vulnerability has no patch and has been actively exploited.

Click for more special coverage

Auffret’s report was followed on Oct. 18 by the CERT Orange Cyberdefense team, which posted on X (formerly Twitter) that they discovered more than 34,500 IOS XE IPs compromised by the critical vulnerability that Cisco scored at 10, the highest possible score.

Cisco revealed the zero-day bug in an Oct. 16 Security Advisory and offered additional background and guidance in a Cisco Talos blog post.

When asked when Cisco would release a patch, a Cisco spokesperson said that the company has nothing more to share at this time, but will provide an update on the status of its investigation through the security advisory. They said customers should refer to the security advisory Cisco released on Tuesday and the Talos blog for additional details.

More attacks on the horizon

John Vecchi, chief marketing officer at Phosphorus, which launched a new feature in its platform on Tuesday that helps security teams assess and mitigate the Cisco bug, said he expected to see more attacks in the coming days.

“This is going to be a pesky problem for a lot of organizations because the devices at risk are already under-inventoried, poorly monitored and not well-secured,” said Vecchi. “For instance, it's common for routers, switches and access points to be left with years-old firmware, unpatched flaws, and weak credentials — and it's even worse with the industrial versions of those devices. We're going to see significant impacts on corporate and industrial networks from this vulnerability.”

John Gallagher, vice president at Viakoo Labs, added that the numbers will likely continue to rise as more types of devices using IOS XE are examined. He explained that IOS XE is in a lot of different devices (both physical and virtual), including aggregation routers and industrial routers — even wireless access points. Gallagher said threats in general have been spreading well beyond the nicely constrained walls of a data center, and this bug is a perfect example of that. 

“Organizations should first of all be assured that while there’s not yet a patch, there is an effective workaround: disabling the HTTP server feature within IOS XE,” said Gallagher. “Organizations should use an agentless asset discovery solution that works across the enterprise, and have a current inventory of devices using IOS XE. Application-based discovery can also be useful in seeing the devices specifically tied to IOS XE. Just like with Windows Exchange Server, vulnerabilities in widely deployed and used systems can take time to fully mitigate within an organization. Focus on the systems most critical to your business operations.”

John Bambenek, principal threat hunter at Netenrich, said this new information shows that threat actors are actively exploiting devices in the wild and taking over full control of this class of network equipment. Bambenek said there’s variance in the number of devices that are compromised because everybody has their own flavors of remote detection.

“However, the important thing to do is to make sure the devices, at least the Web UI, is not internet- accessible, said Bambenek. "And if you do have one of these compromised devices, take it offline and remediate the compromise."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.