Key Points
A critical severity CVSS 10 zero-day vulnerability in Cisco’s IOS XE software has been exploited in the wild. Cisco hasn’t released a patch yet but it has provided some mitigation steps - but before you panic, let’s look at who’s actually affected.
What is the Cisco vulnerability (CVE-2023-20198)?
A security vulnerability is actively being exploited in the web user interface (UI) of Cisco’s IOS XE software which is installed on many Cisco controllers, switches, edge, branch and virtual routers.
The web UI is an embedded GUI-based tool that can be used to provision, monitor, and troubleshoot the system, build configurations, simplify system deployment and manageability, and enhance the user experience. It’s not supposed to be exposed to the internet or untrusted networks, but the web interface is turned on by default, and you have to jump through hoops to turn it off.
Where the software is accessible from the internet, this gives remote, unauthenticated attackers the chance to create an account with privilege access level 15 on the impacted system. This can then be used to gain unauthorized control over the vulnerable system.
Should I be worried?
CVE-2023-20198 can be combined with a previous vulnerability, CVE-2021-1435, which Cisco patched back in 2021. This required authentication, but it can now be chained with the new vulnerability to bypass authentication so attackers can leverage the older vulnerability to execute system commands, which could then be used to pivot the internal network, if needed.
While this makes the vulnerability more severe if chained, the new vulnerability is still bad news if you have an attacker with level 15 privileges on the web UI, even without the RCE. It could possibly allow them to edit your Cisco configuration by poking holes in your firewall and providing external access to internal hosts. So CVE-2023-20198 is still critical even if it's not chained to the older, medium severity CVE-2021-1435.
What systems are at risk?
The vulnerability only affects Cisco IOS XE software if the web UI feature is enabled, but as the web interface is enabled by default it's definitely worth following Cisco's advisory and patching as soon as it's available, because the web UI may be exposed to internal networks and used for pivoting.
There are just shy of 50k IOS devices exposed to the internet at the moment which shouldn't be there but are – around 8,000 in the US, 1,000 in the UK and 1,000 in Canada – while Censys says there are about 49,000 XE web UIs that are exposed to the internet. This shows just how important attack surface management is – you need to know what’s exposed, so when something like this lands, you can find those assets, and mitigate or patch.
Is there a patch available/should you apply the patch?
As of now, no patch or workaround is currently available from Cisco, but they strongly recommend customers disable the HTTP Server feature on all their internet exposed IOS XE devices as a precaution.
How Intruder is helping
We’re actively monitoring the situation and will provide updates as more information becomes available. Intruder has various powerful scanners under the hood, but some Tenable detections rely on services which aren’t always exposed to the internet, so our Security team are conducting Rapid Response to detect any publicly exposed interfaces for Premium and Vanguard customers.
![How bad is the Citrix Bleed vulnerability [CVE-2023-4966]?](https://cdn.prod.website-files.com/61dd9339d05701829d0b3241/653925d3a157a3f7852f5457_citrix-sq.webp)
