Cisco has warned of a new zero-day flaw in IOS XE that has been actively exploited by an unknown threat actor to deploy a malicious Lua-based implant on susceptible devices.
Tracked as CVE-2023-20273 (CVSS score: 7.2), the issue relates to a privilege escalation flaw in the web UI feature and is said to have been used alongside CVE-2023-20198 as part of an exploit chain.
“The attacker first exploited CVE-2023-20198 to gain initial access and issued a privilege 15 command to create a local user and password combination,” Cisco said in an updated advisory published Friday. “This allowed the user to log in with normal user access.”
“The attacker then exploited another component of the web UI feature to escalate privileges to root and implant a new local user into the file system,” a vulnerability that has been assigned identifier CVE-2023-20273.
A Cisco spokesperson told that a fix that covers both vulnerabilities has been identified and will be made available to customers starting October 22, 2023. In the interim, it’s recommended to disable the HTTP server feature.
While Cisco previously noted that a now-patched security flaw in the same software was exploited to install the backdoor, the company assessed the vulnerability associated with the activity in light of the new zero-day discovery.
“An unauthenticated remote actor could exploit these vulnerabilities to take control of an affected system,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said. “Specifically, these vulnerabilities allow an actor to create a privileged account that grants full control over the device.”
Successful exploitation of the bugs could allow attackers to gain unfettered remote access to routers and switches, monitor network traffic, inject and redirect network traffic, and use it as a persistent beachhead to the network due to the lack of protection solutions for these devices.
The development comes as more than 41,000 Cisco devices running vulnerable IOS XE software have been compromised by threat actors using two security flaws, according to data from Censys and LeakIX.
“As of October 19, the number of compromised Cisco devices has fallen to 36,541,” the attack surface management firm said. “The primary targets of this vulnerability are not large corporations but smaller entities and individuals.”