Breaking Bytes: Cisco’s Comedy of Errors Unleashes Hacker’s DIY Project on 41,000 Devices

Three hip-hip-hoorays for the latest Cisco IOS XE vulnerabilities! A hacker’s playground, where ‘Create-a-User’ is the new ‘tag’ and 41,000 Cisco devices are ‘it’. But don’t fret, a patch is coming…someday. Until then, grab your popcorn and enjoy the spectacle of small entities finally making it to the big leagues…in the worst way possible.

Hot Take:

Three cheers for yet another zero-day vulnerability! This time, it’s courtesy of Cisco’s IOS XE. But don’t worry, they’re on it. In fact, a patch is in the works and will be available… eventually. Meanwhile, it seems some hacker has decided to play “Create-a-User” with privileged access, just because they can. And the cherry on top? Over 41,000 Cisco devices have been compromised. Another day, another security flaw. Yawn!

Key Points:

  • Cisco warns of a new zero-day vulnerability in their IOS XE, being actively exploited by an unknown threat actor.
  • The flaw, tracked as CVE-2023-20273, is a privilege escalation flaw that has been used alongside another vulnerability as part of an exploit chain.
  • An attacker can create a privileged user account, gaining complete control over the device.
  • A patch for both vulnerabilities is being worked on and will be released on October 22, 2023.
  • More than 41,000 Cisco devices running the vulnerable software are estimated to have been compromised.

Need to know more?

Attack of the Cloned Users

The attacker first exploits a vulnerability to gain initial access and then issues a privilege 15 command to create a local user and password combo. Next step? Login with normal user access, exploit another part of the web UI feature, and elevate that user's privilege to root. Now they can write the implant to the file system. It's like a hacker's version of a DIY project.

Coming Soon: The Patch

While the hacker is having a field day, Cisco is working on a fix for both vulnerabilities. The patch is set to be released on October 22, 2023. Until then, it's recommended to disable the HTTP server feature. So, grab your popcorn and sit tight.

Who's Been a Naughty Device?

So how many devices have been playing host to our hacker's DIY project? Well, according to data from Censys and LeakIX, over 41,000 Cisco devices running the vulnerable IOS XE software have been compromised. The primary targets are not large corporations, but smaller entities and individuals. So, congratulations to all the little guys out there, you've finally made it to the big leagues...sort of.
Tags: Cisco, IOS XE Flaw, Malicious Lua-based Implant, Network Security, persistent threats, Privilege Escalation Flaw, vulnerability exploit