October 17, 2023

Cisco has released a security advisory for an exploited zero-day vulnerability tracked as CVE-2023-20198. The critical vulnerability, with a CVSSv3 score of 10, is a privilege escalation vulnerability.

Cisco is aware of active exploitation of a previously unknown vulnerability in the web UI feature of Cisco IOS XE Software when exposed to the internet or untrusted networks. This vulnerability allows a remote, unauthenticated attacker to create an account with privilege level 15 access on an affected system. The attacker can then use that account to gain control of the affected system.

We would recommend that affected organizations take three actions:

• Removing any recently created accounts with username ‘cisco_tac_admin’ or ‘cisco_support’
• Disabling the http server on any public facing device running IOSXE
• Resetting any administrative account passwords (specifically Level 15 accounts)

Organizations should also review the Cisco Security Advisory cisco-sa-iosxe-webui-privesc-j22SaA4z.

It’s important to note, that this only affects IOSXE public-facing devices with the http server enabled.