Cisco's IOS XE software zero day vulnerability presents a significantly concerning scenario
In a recent development, cybersecurity firms have issued a warning about an actively exploited zero-day vulnerability in Cisco IOS XE software. This vulnerability allows remote, unauthenticated attackers to create accounts on an affected system, potentially giving them full control over the device.
The suspicious activity was first traced back to Sept. 18, when an authorized user created a local user account under the name "cisco_tac_admin" from a suspicious IP address. By Oct. 12, another account under the name "cisco_support" was created from a different suspicious IP address.
The vulnerability, identified as CVE-2023-20198, has been added to the Cybersecurity and Infrastructure Security Agency (CISA)’s Known Exploited Vulnerabilities Catalog. The implant used in these attacks is based on the Lua programming language and was installed by unknown means on devices that were fully patched against CVE-2021-1435.
Researchers at Cisco Talos initially noticed potentially malicious activity on Sept. 28. The threat actor appears to have extensive knowledge of Cisco IOS XE, as evidenced by the threat activity involving multiple vulnerabilities.
No current patch or existing workaround is available for this vulnerability. However, Cisco has released updates addressing multiple vulnerabilities in IOS XE as recently as mid-2025. Users are urged to upgrade to the latest stable IOS XE versions such as 17.17.1 or later that contain these fixes.
In light of these developments, it is crucial for Cisco IOS XE users to take immediate action to secure their systems. Here are the recommended steps:
- Review Cisco’s official security advisories for any announced zero-day or critical vulnerabilities affecting your IOS XE version.
- Apply the provided security patches or upgrade to the latest Cisco IOS XE software release containing those fixes.
- If patching is not immediately possible, implement any recommended access control or network segmentation measures to limit exposure until fixes can be applied.
- Monitor Cisco’s security advisories regularly, since new zero-day or critical vulnerabilities continue to be discovered.
Staying current with Cisco’s security updates and promptly applying patches is the primary and recommended defense against zero-day vulnerabilities in Cisco IOS XE software actively exploited in the wild.
According to experts, an attacker with such high-level access could modify network routing rules, open ports to access controlled servers, and potentially steal data. They could also monitor network traffic, pivot into protected networks, and perform man-in-the-middle attacks, as stated by Jacob Baines, CTO and lead researcher at VulnCheck, and Scott Caveza, staff research engineer at Tenable.
In conclusion, it is essential for Cisco IOS XE users to prioritize security updates and patches to protect their systems against these types of threats.
- The recently identified zero-day vulnerability in Cisco IOS XE software, known as CVE-2023-20198, poses a significant risk to cybersecurity, as it allows unauthenticated attackers to gain full control over affected devices, potentially leading to data theft or network manipulation.
- In the general-news sphere, this vulnerability has gained attention due to its exploitation in the wild and the potential severity of its impact on privacy, with attackers possibly modifying network routing rules, opening ports to access controlled servers, and stealing data.
- To mitigate the risk of this vulnerability, it's crucial for Cisco IOS XE users to follow best cybersecurity practices, including reviewing Cisco's security advisories, applying provided patches, implementing access control or network segmentation measures, and regularly monitoring for new zero-day vulnerabilities.
