Cisco patches IOS XE zero-days used to hack over 50,000 devices

News
By Sead Fadilpašić
published

A flaw gave hackers privilege level 15 access

cisco logo
(Image credit: Shutterstock / Ken Wolter)

Cisco has released a patch to fix two high-severity flaws that were being abused in the wild to take over vulnerable endpoints. 

The first fixed version is 17.9.4a, and IT admins are urged to apply it immediately and secure their premises. The patch can be found in the company’s Software Download Center.

News recently broke of hackers exploiting a critical vulnerability in some Cisco devices to gain full admin control of entire networks. The vulnerability was found in the Web User Interface of Cisco IOS XE software connected to the public internet. So, whatever Cisco endpoint (routers, switches, etc.) that runs the software, has HTTP and HTTPS Server features enabled, and is connected to the internet, was vulnerable to full device takeover.

Identifying compromised devices

It was reported that some 80,000 endpoints were affected by the flaw at the time, which is tracked as CVE-2023-20198, and carries a severity rating of 10. The second vulnerability is tracked as CVE-2023-20273, and carries a severity score of 7.2.

A threat actor that manages to successfully exploit these two flaws can create an account with privilege level 15 access, which gives them full access to the compromised device and allows them to install even more malware. “This is a critical vulnerability, and we strongly recommend affected entities immediately implement the steps outlined in Cisco’s PSIRT advisory,” researchers from Talos said at the time.

Initial reports also claimed someone had been exploiting the flaw for a month before it was uncovered, but no one knows who, or against whom.

While the researchers initially saw up to 80,000 vulnerable endpoints, the number dropped over the last weekend to “just a few hundred”, BleepingComputer reported. Cybersecurity experts from For-IT said the malicious code of thousands of devices was “altered to check for an Authorization HTTP header value before responding”. In other words, the analysis method was wrong. Using a different method showed almost 40,000 compromised devices.

Via BleepingComputer

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.