Synopsis: Cisco has issued a warning about a zero-day vulnerability (CVE-2023-20109) in its IOS and IOS XE software. IOS XE is a release of Cisco Systems’ widely deployed Internetworking Operating System (IOS). The flaw, related to the GET VPN feature, requires attackers to have admin control of a key server or group member. Successful exploitation could lead to arbitrary code execution or system reload. Despite the need for high-level access, attacks have been observed in the wild, prompting Cisco to recommend immediate software upgrades.
Fortified is also aware of a separate set of vulnerabilities released for Cisco Catalyst SD-WAN, which will be released in a threat bulletin.
Actions: Upgrade to a fixed software release to remediate this vulnerability.
Associated Articles:
Cisco urges admins to fix IOS software zero-day exploited in attacks