Synopsis: Originally reported yesterday as CVE-2023-20198, (10/17/2023) and allegedly having been targeted by threat groups since September, Cisco announced a vulnerability in devices equipped with IOS XE.

It is essential to note that a patch has yet to be released for remediation. This vulnerability allows an attacker to execute arbitrary code that creates an account with the highest possible privileges. While an explicit list of affected systems also remains unclear, a review of Cisco’s literature reveals the following systems as supported by IOS XE:

Enterprise switches

Wireless controllers

Access points

Aggregation routers

Branch routers

Industrial routers 

Virtual Routing

Converged broadband routers

Actions: Current industry recommendations for remediation are that the HTTP Server feature on all internet-facing systems be disabled.

  • To disable the HTTP Server feature, use the no ip http server or no ip http secure-server command in global configuration mode
  • If both the HTTP and HTTPS servers are in use, both commands must disable the HTTP Server feature

After implementing changes, use the copy running-configuration startup-configuration command to save the running-configuration. This will ensure that the changes are not reverted in the event of a system reload.

It is further recommended that monitoring rules be considered to detect the creation of new accounts in these affected resources if possible.

Fortified recommends that any system changes be documented for roll-back operations should this change result in service interruptions. Additionally, it is recommended that all changes be tested before applying said changes throughout the environment.

Associated Articles:

Zero-Day Alert: Thousands of Cisco IOS XE Systems Now Compromised

Cisco IOS XE

Email Team