Cisco IOS XE zero-day vulnerability has recently become a hot topic in the cybersecurity industry. This particular vulnerability was identified within the Web UI functionality of the IOS XE software developed by Cisco. The zero-day vulnerabilities that are being actively exploited in the actual attacks are CVE-2023-20198 and CVE-2023-20273. Notably, CVE-2023-20198 has been assigned the highest CVSS score of 10, with Cisco describing this vulnerability as “a vulnerability that allows an attacker to access the victim’s system with 15-level privileges. The exploitation of the Cisco IOS XE zero-day vulnerability proves more severe than anticipated, allowing for the execution of all commands and changes to configuration settings. On October 16, Cisco issued a security advisory for these vulnerabilities, highlighting that, at present, the only recommended defense is to disable the Web UI feature of IOS XE.
How to Detect Devices Exposed to Cisco IOS XE Zero-Day Threats
To identify devices vulnerable to Cisco IOS XE zero-day threats, use the search query ‘WebUI Product: “OpenResty”. This query searches for OpenResty products that run Cisco Web UI and allows you to find Cisco IOS XE Web UI devices that can be accessed from the internet. With the Product Filter in Criminal IP Asset Search, you can search for the IP addresses associated with specific products.
Search Query: WebUI product: “OpenResty”
The search results discovered more than 56,000 Cisco IOS XE devices running on OpenResty servers. Given Cisco’s global popularity, you can see that these devices are being used all around the world. A total of 176 countries appeared to be using Cisco IOS XE Web UI devices. Among them, the United States appeared the most with 9,599 devices, followed by the Philippines with 4,131 devices, and Peru with 4,080 devices.
Statistics for Autonomous System Related Cisco IOS XE Zero-Day Devices
With the Criminal IP Element Analysis, you can use the as_name filter to check the statistics for the autonomous system using devices related to the Web UI feature.
The autonomous systems that topped the statistics charts were ISPs providing internet access to households and companies. Filipino telecommunication company Globe Telecoms appeared the most with 2,607 devices, followed by Chilean telecommunication company CTC Corp S.A. Telefonica Empresas with 2,334 devices, and Peruvian telecommunications company America Movil Peru S.A.C with 2,113 devices.
No security patch has been released for the existing Cisco IOS XE Web UI zero-day vulnerability. Ongoing research is investigating the potential for further exploits. If you use a Cisco IOS XE device, we recommend staying informed by checking the latest security advisories on the official site.
Check out the article on the MOVEit Zero-Day: Detecting Servers Exposed to Data Leak Attacks.
This report is based on data from Criminal IP, a Cyber Threat Intelligence search engine.
Create a free Criminal IP account today to access the search results cited in the report and search for more extensive threat Intelligence.
Source: Criminal IP (https://www.criminalip.io)