Cisco discloses new IOS XE zero-day exploited to deploy malware implant

Cisco disclosed a new high-severity zero-day (CVE-2023-20273) today, actively exploited to deploy malicious implants on IOS XE devices compromised using the CVE-2023-20198 zero-day unveiled earlier this week.

The company said it found a fix for both vulnerabilities and estimates it will be released to customers via the Cisco Software Download Center over the weekend, starting October 22.

"Fixes for both CVE-2023-20198 and CVE-2023-20273 are estimated to be available on October 22. The CVE-2021-1435 that had previously been mentioned is no longer assessed to be associated with this activity," Cisco said today.

On Monday, Cisco disclosed that unauthenticated attackers have been exploiting the CVE-2023-20198 authentication bypass zero-day since at least September 18 to hack into IOS XE devices and create "cisco_tac_admin" and "cisco_support."

As revealed today, the CVE-2023-20273 privilege escalation zero-day is then used to gain root access and take complete control over Cisco IOS XE devices to deploy malicious implants that enable them to execute arbitrary commands at the system.

Over 40,000 Cisco devices running the vulnerable IOS XE software have already been compromised by hackers using the two still-unpatched zero-days, according to Censys and LeakIX estimations. Two days earlier, VulnCheck estimates were floating around 10,000 on Tuesday, while the Orange Cyberdefense CERT said one day later that it found malicious implants on 34,500 IOS XE devices.

Networking devices running Cisco IOS XE include enterprise switches, access points, wireless controllers, as well as industrial, aggregation, and branch routers.

While it's hard to get the exact number of Internet-exposed Cisco IOS XE devices, a Shodan search currently shows that more than 146K vulnerable systems are exposed to attacks.

Cisco has cautioned administrators that, even though security updates are unavailable, they can still block incoming attacks by disabling the vulnerable HTTP server feature on all internet-facing systems.

"We strongly urge customers to take these immediate actions as further outlined in our updated security advisory and Talos blog," a Cisco spokesperson told BleepingComputer.

Admins are also strongly advised to look for suspicious or recently created user accounts as potential indicators of malicious activity associated with these ongoing attacks.

One way to detect the malicious implant on compromised Cisco IOS XE devices requires running the following command on the device, where the placeholder "DEVICEIP" represents the IP address under investigation:

curl -k -X POST "https[:]//DEVICEIP/webui/logoutconfirm.html?logon_hash=1"

Last month, Cisco warned customers to patch another zero-day bug (CVE-2023-20109) in its IOS and IOS XE software, also targeted by attackers in the wild