CISA adds second Cisco IOS XE flaw to its Known Exploited Vulnerabilities catalog

Pierluigi Paganini October 23, 2023

US CISA added the vulnerability  in Cisco IOS XE to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA)  the vulnerability  in Cisco IOS XE to its .

The vulnerability is an unspecified issue in the web user interface. An attacker can chain this flaw with CVE-2023-20198 to leverage the new local user to elevate privilege to root and write the implant to the file system.

Cisco last week warned customers of a zero-day vulnerability, tracked as  (CVSS score 10), in its IOS XE Software that is actively exploited in attacks. The IT giant found the vulnerability during the resolution of multiple Technical Assistance Center (TAC) support cases. The vulnerability can be exploited by an attacker to gain administrator privileges and take over vulnerable routers.

While investigating attacks exploiting the flaw , Cisco noticed attacks on systems patched against this issue, a circumstance that suggested that threat actors were exploiting a second zero-day flaw.

“Our investigation has determined that the actors exploited two previously unknown issues.” reads the  published by the company. “The attacker first exploited CVE-2023-20198 to gain initial access and issued a privilege 15 command to create a local user and password combination. This allowed the user to log in with normal user access.

The attacker then exploited another component of the web UI feature, leveraging the new local user to elevate privilege to root and write the implant to the file system. Cisco has assigned CVE-2023-20273 to this issue.

  • CVE-2023-20198 has been assigned a CVSS Score of 10.0.
  • CVE-2023-20273 has been assigned a CVSS Score of 7.2.”

The IT giant has now addressed both zero-day vulnerabilities and also provided mitigations for them.

The US CISA has released  for addressing CVE-2023-20198 and CVE-2023-20273 vulnerabilities.

According to , FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the  and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this flaw by October 27, 2023.

Follow me on Twitter:  and  and Mastodon

(SecurityAffairs – hacking, CISA)



you might also like

leave a comment