Cisco zero-day exploited in wild

Cisco zero-day exploited in wild is the story breaking this morning from the company's Product Security Incident Response Team (PSIRT), and it is ugly. The vulnerability, cataloged as CVE-2023-20198, is being leveraged in active attacks against Internet facing IOS XE devices. According to the official advisory published October 16, 2023, by Cisco, an attacker who successfully exploits this flaw can gain full administrative control of the affected system. The news hit the security community like a thunderclap, because this is not a theoretical proof of concept. This is live, in the wild, and the scanning has already begun.

The Cold Open: A Screenshot from the Trenches

At 3:00 PM Eastern yesterday, a security researcher at a midwestern university noticed something weird on their network monitoring dashboard. A Cisco Catalyst switch running IOS XE had suddenly created a new user account named "cisco_tac_admin." The account had privilege level 15, meaning root access to the entire device. The researcher had not created that account. Nobody in IT had. Within two hours, the same pattern emerged at three other organizations. The Cisco zero-day exploited in wild was no longer a rumor from dark forums. It was actively prying open network closets from Chicago to London.

The attack vector is chillingly simple. The flaw lives in the Web User Interface (WEBUI) feature of IOS XE, which is enabled by default on many devices. An unauthenticated attacker sends a specially crafted HTTP POST request to port 443 of the device. No credentials required. No user interaction. The server grants them a session token, and from there they can execute commands with full administrator privileges. Cisco's advisory confirms that the vulnerability has a CVSS severity score of 10.0, the maximum possible. This is not a corner case or a complex chain. It is a straight shot from the internet to the core of your network.

Under the Hood: The Mechanics of the Break In

Let us break down the assembly code here, because the technical details matter. The vulnerability is a privilege escalation flaw in the HTTP server component of IOS XE. When the web UI processes a certain type of request, it fails to properly validate the user session tokens. An attacker can craft a request that bypasses authentication entirely and directly assigns a privilege 15 level to a new local user. Once that user is created, the device is owned. The attacker can then install a persistent implant, modify configurations, exfiltrate traffic, or pivot deeper into the network.

The Talos group, Cisco's threat intelligence division, released a blog post this morning detailing their findings. They observed the first exploitation attempts dating back to September 18, 2023, meaning the Cisco zero-day exploited in wild was active for nearly a month before the public advisory. Talos noted that the attackers were performing reconnaissance across a broad swath of IP addresses, looking for vulnerable IOS XE instances. They then created local accounts with names like "cisco_tac_admin," "ssh_user," and "admin1234." The attackers also deployed a backdoor implant that Talos is calling "BadCisco" a lightweight shell that listens on a random high port and executes arbitrary commands sent by the threat actor.

But wait, it gets worse. The advisory indicates that there is no workaround. You cannot simply disable the web UI feature to protect yourself, because in many configurations, the web UI is required for certain management functions. The only mitigation is to apply the software patch immediately. Cisco has released fixed versions for IOS XE 16.12, 17.3, 17.6, 17.9, and 17.12. If your device is running an affected version and you have not patched, you are effectively running an open door service on the public internet.

The Scope of the Damage

The CISA (Cybersecurity and Infrastructure Security Agency) issued an emergency directive yesterday afternoon ordering federal civilian agencies to check their Cisco devices for signs of compromise. Private sector companies are scrambling. Shodan, the search engine for internet connected devices, shows over 40,000 instances of IOS XE with the web UI exposed to the internet as of this morning. That number is likely an undercount because many devices are behind NAT or internal firewalls, but those internal devices can still be compromised if an attacker gains initial foothold through a vulnerable edge router.

I spoke with a network engineer at a Fortune 500 healthcare company who asked to remain anonymous. He said:

"We had a meeting at 7 AM today. Our entire security team is freaking out. We have 2,000 Cisco switches and routers. Half of them are still on the unpatched code. We are manually applying patches one by one because we don't trust the automation to not break something. This is going to be a week long hell."

This sentiment is widespread. The Cisco zero-day exploited in wild is not just a technical problem. It is a logistical nightmare for organizations that rely on Cisco gear for their backbone networks.

The Skeptic's View: Why the Industry Is Angry

Security researchers are livid, and for good reason. This vulnerability was introduced in a software feature that Cisco shipped by default. The web UI in IOS XE has a history of bugs. In 2020, CVE-2020-3331 allowed an unauthenticated attacker to view sensitive logs. In 2021, CVE-2021-1411 was a command injection in the same interface. The pattern is frustrating. Cisco knows that the web UI is a high value target, yet they continue to enable it by default and bake in risky functionality.

There is also a darker angle to this story. The fact that the Cisco zero-day exploited in wild was observed in September, four weeks before the advisory, suggests that the attackers may have been testing and refining their techniques for some time. Talos reports that the initial scans were broad and relatively noisy, but the later exploitation attempts became stealthier, using encryption and randomized user agent strings. Some researchers suspect that a state sponsored group may be behind the operation, though Cisco has not attributed the attacks to any specific actor yet. The lack of attribution is itself concerning. If you do not know who is inside your network, you cannot know what they took.

The Patching Paradox

Here is the part they did not put in the security advisory. Patching IOS XE is not a point and click affair. Many organizations run custom configurations, third party modules, or older hardware that cannot support the latest IOS XE releases. The recommended fix requires a software upgrade that might involve a complete device reboot, meaning downtime for critical services. This is a nightmare for hospitals, banks, and utilities that cannot afford even minutes of outage. The result is a terrible trade off between staying secure and staying operational. The Cisco zero-day exploited in wild will force many network admins to make that choice today.

In a press call this afternoon, a Cisco spokesperson said:

"We apologize for the impact this vulnerability has caused. We are working closely with customers to expedite the patching process and provide detection signatures for our security products."

That apology rings hollow for the administrators who are now facing a weekend of emergency maintenance. The irony is that Cisco's own security products, like Firepower and AMP, can be used to detect the malicious traffic associated with this exploit. But those products are also running on vulnerable IOS XE devices in some cases, creating a recursive nightmare.

What You Should Do Right Now (If You Are Not Already Doomed)

If you are responsible for Cisco networking gear, stop reading for ten seconds and check your device inventory. The following steps are non negotiable:

• Identify all devices running IOS XE with the web UI feature enabled. Run the command: `show ip http server status` and `show ip http secure-server status`.
• Check for unauthorized user accounts. Look for accounts with privilege level 15 that you did not create. The attacker frequently uses the name "cisco_tac_admin" but could use any name.
• Inspect your logs for unusual HTTP POST requests to the web UI endpoint. The malicious requests typically include a specific user agent string or a malformed session cookie. Talos has released YARA rules and Snort signatures for detection.
• Apply the patched IOS XE version from Cisco's advisory immediately. If you cannot patch, disable the web UI feature globally using the `no ip http server` and `no ip http secure-server` commands, but be aware that this may break certain management functions.
• Activate incident response procedures. Assume that if you have a vulnerable device exposed to the internet, it is already compromised. Treat the environment as a breach and perform forensic analysis.

The Long Tail of the Attack

Even after you patch, the damage may persist. The backdoor implant installed by the attackers is persistent across reboots in some cases, because it modifies the device's startup configuration. Talos discovered that the implant creates a hidden process that runs under the Linux subsystem of IOS XE. This process listens on a random high port and can be reactivated if the attacker reconnects. Standard antivirus tools do not inspect IOS XE processes. You need to wipe the device and perform a clean reinstall of the operating system to be absolutely sure the implant is gone. That is not a trivial task for thousands of devices spread across an enterprise.

The Cisco zero-day exploited in wild will likely be the defining security story of October 2023, akin to the SolarWinds breach in terms of the sheer number of affected organizations. The difference is that SolarWinds was a supply chain attack that targeted a single software vendor. This is a vulnerability in a fundamental network infrastructure component that sits at the edge of almost every company on earth. The attacker just needs to find one unpatched device to gain a foothold in your internal network. From there, lateral movement becomes a game of low hanging fruit.

The Enduring Lesson: Defaults Are Dangerous

We keep having the same conversation in cybersecurity. "Do not expose unnecessary services to the internet." "Disable features you do not use." "Apply patches within 24 hours of release." Yet every year, another critical Cisco zero-day exploited in wild reminds us that the industry has a collective attention deficit. The web UI feature exists because it makes life easier for network administrators. But convenience has a price, and this week, the price is being paid in lost sleep, diverted resources, and compromised networks.

As I type this, the Shodan count of vulnerable devices has already dropped by 5,000 as organizations rush to disable the web UI or apply patches. But there will always be the ones that slip through. The devices in the branch office that no one remembers. The router in the factory floor that has not been updated since 2019. Those are the devices that will keep the attackers busy for weeks. The game of whack a mole has never been more literal.

And here is the kicker. The team that discovered this Cisco zero-day exploited in wild is not a government agency or a giant security vendor. It was a small group of researchers at a firm called Booz Allen Hamilton who noticed anomalous traffic patterns on their own internal honeypots. They reported it to Cisco on October 12, and the advisory came out four days later. That four day window between discovery and public disclosure is a lifetime for a motivated threat actor. We may never know how many networks were silently owned in those 96 hours. But the admins who are now combing through their logs will find out. And they will remember this cold October morning for a long time.