CVE-2023-20198

CVE-2023-20198 is a critical zero-day vulnerability found in the Web User Interface (Web UI) feature of Cisco IOS XE software. It was discovered when Cisco identified an active exploitation campaign that targeted this previously undisclosed flaw, enabling threat actors to create administrative accounts and install malicious implants on IOS XE devices. The vulnerability was exposed to the internet or untrusted networks, leading to thousands of IOS XE devices being compromised, as warned by security firm VulnCheck. The exploitation of CVE-2023-20198, along with another vulnerability CVE-2023-20273, was part of a larger campaign that saw tens of thousands of IOS XE devices compromised over a single week. This attack wave occurred in October, marking a shift in tactics for threat actors who had initially been compromising networks through poorly secured implementations of Windows RDP (remote desktop protocol) and stolen credentials. However, towards the end of the year, they increasingly exploited the vulnerability in devices running Cisco Systems’ IOS XE operating system. In response to these exploits, Cisco has taken action to address and rectify the vulnerabilities. A security advisory was released detailing the vulnerability and its potential impact, while patches were provided to fix both CVE-2023-20198 and CVE-2023-20273. This swift response followed the alarming discovery of the two zero-day vulnerabilities being used to compromise over 50,000 IOS XE devices within a single week. Despite these measures, organizations are urged to ensure their systems are updated and properly secured against potential future attacks.