What We Know

On October 17, 2023, ReliaQuest became aware of a critical security flaw in Cisco’s IOS XE software that is being actively exploited by threat actors. The vulnerability, identified as CVE-2023-20198, allows remote attackers to create an admin-level user account without authentication and gain complete control over the affected device. This flaw has received a CVSS severity rating of 10.0, indicating its criticality. The vulnerability affects IOS-XE devices with the web-based configuration interface enabled, and Cisco has not specified the affected versions, suggesting that all IOS-XE devices may be vulnerable.

What Is ReliaQuest Doing?

All impacted ReliaQuest customers have been contacted and provided with recommended mitigation steps.

ReliaQuest continues to actively monitor for further evidence of exploitation and the sharing of proof-of-concepts (POCs) on underground forums. Our team is also collecting indicators of compromise (IoCs) to assist in detecting potential exploits.

In addition, the ReliaQuest threat hunting team is actively hunting to identify customers with publicly exposed Cisco IOS XE software. Those affected will be contacted by the threat hunting team.

We will continue to provide updates and guidance as necessary.

What You Should Do

Cisco has shared recommendations for its customers, which include disabling the HTTP Server feature and restricting access to HTTP/HTTPS services to trusted networks.

Cisco also recommends using the copy running-configuration startup-configuration command to save the running-configuration to prevent the changes from reverting upon system reload.

How to Stay Informed

Please review the associated threat profile within the GreyMatter platform for ongoing updates and recommended responses to help you keep abreast of the situation and minimize the impact of the threat.

We will also provide updates on this blog for those who do not have access to GreyMatter.