Cisco is warning of a critical unpatched vulnerability in the web UI feature of its Internetwork Operating System (IOS) XE software that is being actively exploited.
The vulnerability affects physical and virtual enterprise networking services running IOS XE that also have the HTTP or HTTPS Server feature enabled, according to a threat advisory by Cisco Talos.
It has been given the reference CVE-2023-20198 and received a Common Vulnerability Scoring System (CVSS) score of 10.
The vulnerability “allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access,” the vendor said in a separate advisory.
“The attacker can then use that account to gain control of the affected system.”
Privilege level 15 is the highest of the 16 privileged access levels in IOS, granting “full administrative access”.
The web UI is described as an embedded GUI-based system-management tool used for provisioning, system deployment and manageability, and user experience.
Cisco urged administrators to check their system logs for specific messages, described in its advisory.
It said there are no current workarounds and that it would communicate with customers “when a software patch is available.”
In the interim, the vendor “strongly recommended” that customers “disable the HTTP Server feature on all internet-facing systems.”
“The recommendation that Cisco has provided in its security advisory to disable the HTTP server feature on internet-facing systems is consistent with not only best practices but also guidance the US government has provided in the past on mitigating risk from internet-exposed management interfaces,” Cisco Talos wrote.
“This is a critical vulnerability, and we strongly recommend affected entities immediately implement the steps outlined in Cisco’s… advisory.”
Cisco Talos said the vulnerability was initially observed in a single customer’s environment in mid-to-late September, when the customer lodged a ticket for assistance.
It further observed a similar pattern in other environments this month which appeared “to build off the September activity”, and which Talos deemed to be “likely carried out by the same actor.”
