The BSI warns of an actively exploited vulnerability in the Cisco Web UI of IOS XE. The CVE-2023-20198 vulnerability has the highest CVSS score of 10.0 and is therefore critical. Many switches, routers and WLAN controllers are at risk.
On October 16, Cisco released an advisory regarding an unpatched and actively exploited vulnerability in the Web UI of IOS XE. The vulnerability with the identifier CVE-2023-20198 allows remote, unauthenticated attackers to create new accounts (with level 15 access rights) on the affected system. Attackers are therefore able to gain control over affected IOS XE systems and compromise the devices on which the software is used (switches, routers, WLAN controllers). The vulnerability has received the highest CVSS rating of 10.0 (“critical”).
Currently no patch available
Affected are physical and virtual devices with IOS XE whose web interface (Web UI) is activated. There is a particular risk if they can be accessed from the Internet. The web interface is a GUI-based system management tool to simplify deployment,
Commissioning and management of Cisco IOS XE systems. It is delivered by default and does not need to be explicitly activated or installed. The interface represents a user-friendly alternative to administration without having to use command line interfaces. However, Cisco recommends that the interface should not be accessible from the Internet or untrusted networks.
Security admins have to react
A patch for the vulnerability is not yet available, but Cisco points to necessary mitigation measures. Cisco has also observed active exploitation of the vulnerability. A post from Cisco Talos reports that the first attacks on the vulnerability took place on September 18th.
IT security managers should check as soon as possible for their Cisco IOS Whether the web interface is activated can be checked using various commands that the BSI lists in its security warning.
More at BSI.Bund.de
About the Federal Office for Information Security (BSI) The Federal Office for Information Security (BSI) is the federal cyber security authority and the creator of secure digitization in Germany. The guiding principle: As the federal cyber security authority, the BSI designs information security in digitization through prevention, detection and reaction for the state, economy and society.