Cisco disclosed a new high-severity zero-day today, actively exploited to deploy malicious implants on IOS XE devices compromised using the CVE-2023-20198 zero-day unveiled earlier this week. The company said it found a fix for both vulnerabilities and estimates it will be released to customers via the Cisco Software Download Center over the weekend, starting October 22. "Fixes for both CVE-2023-20198 and CVE-2023-20273 are estimated to be available on October 22. The CVE-2021-1435 that had previously been mentioned is no longer assessed to be associated with this activity," Cisco said today. On Monday, Cisco disclosed that unauthenticated attackers have been exploiting the CVE-2023-20198 authentication bypass zero-day since at least September 18 to hack into IOS XE devices and create "Cisco tac admin" and "Cisco support." As revealed today, the CVE-2023-20273 privilege escalation zero-day is then used to gain root access and take complete control over Cisco IOS XE devices to deploy malicious implants that enable them to execute arbitrary commands at the system. Over 40,000 Cisco devices running the vulnerable IOS XE software have already been compromised by hackers using the two still-unpatched zero-days, according to Censys and LeakIX estimations. Two days earlier, VulnCheck estimates were floating around 10,000 on Tuesday, while the Orange Cyberdefense CERT said one day later that it found malicious implants on 34,500 IOS XE devices. Networking devices running Cisco IOS XE include enterprise switches, access points, wireless controllers, as well as industrial, aggregation, and branch routers. While it's hard to get the exact number of Internet-exposed Cisco IOS XE devices, a Shodan search currently shows that more than 146K vulnerable systems are exposed to attacks. Cisco has cautioned administrators that, even though security updates are unavailable, they can still block incoming attacks by disabling the vulnerable HTTP server feature on all internet-facing systems. "We strongly recommend organizations that may be affected by this activity immediately implement the guidance outlined in Cisco's Product Security Incident Response Team advisory," the company said. Admins are also strongly advised to look for suspicious or recently created user accounts as potential indicators of malicious activity associated with these ongoing attacks. Last month, Cisco warned customers to patch another zero-day bug in its IOS and IOS XE software, also targeted by attackers in the wild. Over 10,000 Cisco devices hacked in IOS XE zero-day attacks. Cisco warns of new IOS XE zero-day actively exploited in attacks. Over 40,000 Cisco IOS XE devices infected with backdoor using zero-day. Recently patched Citrix NetScaler bug exploited as zero-day since August. Hackers exploit critical flaw in WordPress Royal Elementor plugin.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000