Cisco Systems Inc. was busy last week shoring up the security of its IOS XE routers and switches as a vulnerability in their web user interface allowed remote attackers to gain control over some these systems, which could number around 40,000.

The web interface to manage is used to provision and configure the device as well as troubleshoot problems and supplements the command-line interface. The initial attack happened in mid-September, but wasn’t seen by Cisco Talos researchers until the end of September. Additional analysis found other instances a few weeks ago, when an unauthorized user was observed creating a local user account under the names “cisco_tac_admin” and “cisco_support” from a suspicious IP address.

Typically, configuring these devices is limited to very privileged network administrators, since these changes can prevent network functions or introduce vulnerabilities unintentionally or deliberately. But what happened with the IOS XE software line is a series of discoveries that have made matters more complicated.

After the first vulnerability was found, researchers at the company initially thought they had discovered another but older problem that was first identified in 2021. Then they realized that wasn’t accurate, and they had a new zero-day vulnerability on their hands.

Taken together, the two bugs could provide root access where attackers could deploy malware or execute any commands to these devices, regardless of the users’ security and access rights. Given the core networking role that Cisco plays in numerous enterprises, this was a serious situation that could potentially paralyze numerous network operations.

The two problems — now correctly identified — have prompted Cisco to begin issuing patches from its software download service for various versions of IOS XE, starting with the most recent version 17.9 that is available now. The company also suggested that the web interface could be disabled via the command line or network traffic to the device should be temporarily blocked. Network administrators should also examine their access logs for any suspicious or malicious activity involving these interfaces.

Image: Cisco