Cisco Systems Inc. is warning customers of its IOS XE devices of a critical vulnerability that has no patch and is actively being exploited in the wild.

The vulnerability, tracked as CVE-2023-20198, has been given the highest possible Common Vulnerabilities and Exposure score of 10 and is found in all Cisco IOS XE devices that have the Web UI feature enabled. The vulnerability affects physical and virtual devices running Cisco IOS XE software that also have the HTTP or HTTPS Server feature enabled.

The vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access, which gives the attacker complete control of the affected system.

According to a blog post from Cisco Talos, attackers exploiting the vulnerability were first discovered on Sept. 28 when unusual behavior on a customer device was detected, although the first attack was since found to have occurred on Sept. 18. Cisco Talos Incident Response and Cisco’s Technical Assistance Center later detected an additional cluster of related activity on Oct. 12, when an unauthorized user was observed creating a local user account under the name “cisco_support” from a suspicious IP address.

Given that no patch, mitigation or workaround is currently available to address the vulnerability, Cisco is advising all IOS XE device customers to disable the HTTP Server feature on all internet-facing systems. To disable the HTTP Server feature, customers should use the comments “no ip http server” or “no ip http secure-server” command in global configuration mode.

“Cisco has not provided the list of devices affected, which means that any switch, router or WLC running IOS XE and has the web UI exposed to the internet is vulnerable,” Mayuresh Dani, manager of threat research at information technology security and compliance platform company Qualys Inc., told SiliconANGLE. “Based on my searches using Shodan, there are about 40,000 Cisco devices that have web UI exposed to the internet. A majority of those are listening on port 80.”

John Gallagher, vice president of Viakoo Labs at vulnerability management company Viakoo Inc., noted that the vulnerability is a great reminder that administrators need detailed information on their systems in cases such as this where there’s no patch available.

“Organizations should use the time they have right now before a patch is issued to ensure they have an automated and effective patching solution in place,”  Gallagher added. “Routers, like many other IoT devices, are sometimes managed outside of IT, so having an agentless IoT patching solution will be critical for closing the window of vulnerability.”

Photo: Wikimedia Commons