News Own Your Online External Link Report it
News Own Your Online External Link
  1. Welcome to the National Cyber Security Centre
  2. Alerts
  3. Cisco IOS XE Web UI actively exploited

Cisco IOS XE Web UI actively exploited

This section contains time sensitive announcements about specific cyber threats, vulnerabilities and scams. Each alert has information you need to be aware of, and what actions to take to mitigate any risk to you or your organisation.

Subscribe to our updates to be notified as soon as we publish an alert.

3:40am, 17 October 2023

TLP Rating: Clear

Cisco IOS XE Web UI actively exploited

Updated: 10:00am, 24 October 2023 to include CVE-2023-20273 and new  fixed versions. 

Cisco has released an advisory for a critical vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software. The vulnerability tracked as CVE-2023-20198, allows a remote unauthenticated attacker to create an account on an affected system. Another vulnerability tracked as CVE-2023-20273 can then be used to gain full control of the device. Cisco has reported that these vulnerabilities are being actively exploited.

What to look for

How to tell if you're at risk

The vulnerability affects Cisco IOS XE software that has the web UI feature enabled. The web UI feature is enabled through the 'ip http server' or 'ip http secure-server' commands outlined in the vendor advisory.

How to tell if you're affected

You can check for the following indicators of compromise / detections as outlined in the vendor advisory:

  • new or unexplained users on devices such as 'cisco_tac_admin' or 'cisco_support'
  • new or unexplained filenames in the system logs
  • presence of an implant as outlined in the vendor advisory
  • check for connections to IP addresses 5.149.249[.]74 or 154.53.56[.]231
  • Snort rules outlined in the vendor advisory

What to do

Prevention

Upgrade your devices running Cisco IOS XE to these latest versions as soon as possible:

  • 17.9.4a

Cisco has announced these further fixed updates, which are yet to be released:

  • 17.6.6a
  • 17.3.8a
  • 16.12.10a (Catalyst 3650 and 3850 only).

 

Mitigation

Disable the HTTP Server feature on Cisco IOS XE particularly on internet facing systems as outlined in the vendor advisory.

More information

Vendor advisory – Cisco IOS XE Software Web UI Privilege Escalation Vulnerability External Link

If you require more information or further support, submit a report on our website or contact us on 0800 114 115.

Report an incident

For media enquiries, email our media desk at media@ncsc.govt.nz