Cisco, a cybersecurity industry leader, recently brought a troubling revelation to light—an additional zero-day vulnerability actively exploited in IOS XE. This discovery occurs alongside a noteworthy reduction in compromised devices.

In a proactive move, Cisco issued a warning to its valued clients regarding a zero-day vulnerability that nefarious threat actors have been exploiting since at least mid-September. Identified as CVE-2023-20198, this vulnerability takes aim at the web interface of the IOS XE operating system. Of particular concern is that it enables remote, unauthenticated attackers to create high-privileged accounts on targeted Cisco devices

[FREE E-BOOK] The Definite Blueprint for Cybersecurity in Manufacturing

Once inside the system and new accounts have been established, the attackers demonstrate an alarming capability. They have been consistently observed deploying a sophisticated Lua-based implant, granting them extensive powers to execute a wide range of arbitrary commands. This unsettling development has been meticulously documented.

Cisco initially reported that attackers were leveraging an older IOS XE command injection vulnerability, cataloged as CVE-2021-1435, to facilitate the deployment of their implant. Intriguingly, Cisco subsequently uncovered attacks on systems that had already been patched against this vulnerability, raising suspicions of another undisclosed zero-day exploit.

In a surprising turn of events, the company has now officially confirmed the existence of a second zero-day exploit responsible for implant deployment. This revelation caught the organization off guard. The newfound security vulnerability is being closely watched and is designated as CVE-2023-20273.

“The attacker started by taking advantage of the CVE-2023-20198 vulnerability to obtain initial access, and then they sent a privilege 15 command to set up a local user and password combination.” elaborated on this in their advisory, underscoring that this maneuver granted the attacker access as a regular user. “The attacker then took advantage of another feature of the web UI, elevating their privileges to root by leveraging the newly created local user and writing the implant to the file system.”

Cisco has officially confirmed that there is no longer any suspicion regarding the involvement of CVE-2021-1435 in these attacks.

When Cisco initially disclosed the attacks, they provided mitigations as a stopgap measure. However, the company has since taken a proactive step by releasing patches for both vulnerabilities. Yet, it’s crucial to note that applying these patches is just one component of the process required for businesses to remediate their systems. Additional measures will be necessary.

As part of this concerted effort, numerous cybersecurity firms have been actively scouring the internet to identify compromised systems. At one point, these companies uncovered over 40,000 compromised Cisco switches and routers, with some even identifying as many as 53,000 compromised devices.

The count of infected machines is currently undergoing a significant and rapid decline. The Shadowserver Foundation, in its latest findings, detected the backdoor on only a hundred distinct systems. This development has been met with relief and applause from the cybersecurity community.

However, CERT Orange Cyberdefense presents a cautionary note. They suspect that the attackers may be actively working to hide the implant. Consequently, they have issued a stern warning that a substantial number of compromised devices might still exist, even if they remain concealed from scans.

It’s crucial to underline that while the account established through the exploitation of CVE-2023-20198 remains permanent, the implant itself is not. It is automatically removed once the affected device is rebooted.

Currently, there is a notable absence of evidence pointing towards the responsible parties behind these attacks or their ultimate objectives.

In response to these vulnerabilities, the United States Cybersecurity and Infrastructure Security Agency (CISA) has issued comprehensive recommendations for mitigating CVE-2023-20198 and CVE-2023-20273. Both of these vulnerabilities have been included in the company’s Known Exploited Vulnerabilities Catalog, and government agencies have been instructed to prioritize their immediate patching.


Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.


About Rhyno Cybersecurity Services

Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.

Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.

This website uses cookies to improve your online experience. By continuing, we will assume that you are agreeing to our use of cookies. For more information, visit our Cookie Policy.

Privacy Preference Center