Cisco Warns of Actively Exploited Zero-Day IOS XE Vulnerability

Cisco has issued a security alert about an actively exploited critical zero-day vulnerability in its IOS XE software and is urging all customers to take immediate action to prevent exploitation of the flaw.

The vulnerability is tracked as CVE-2023-20198 and has a maximum CVSS severity score of 10. According to Cisco, the privilege escalation vulnerability resides in the Web User Interface of Cisco IOS XE software when exposed to the Internet or untrusted networks. The vulnerability affects any switch, router, or wireless LAN controller that is running IOS XE which has the HTTP or HTTPS Server feature enabled and exposed to the Internet.

The vulnerability can be exploited by a remote, unauthenticated attacker to create an account on the affected system with privilege level 15 access. The account can be used to gain full control of the affected system. Cisco’s Technical Assistance Center (TAC) identified the flaw on September 28, after reports were received about unusual behavior on a customer device.

Cisco has confirmed that the zero-day vulnerability was first exploited on September 18, and a second cluster of attacks was detected on October 12, 2023. In the October attacks, the threat actor attempted to establish persistent access through a malicious implant, which facilitates arbitrary code execution. While the implant will not survive a reboot, the accounts created on the system will remain active, allowing the implant to be redeployed. Cisco said that in one of the attacks, the threat actor exploited a 2-year-old vulnerability (CVE-2021-1435); however, the malicious implant was installed on systems that have been patched against that vulnerability through a mechanism that has yet to be determined.

Cisco strongly advises admins to disable the HTTP server feature on Internet-facing systems which will prevent the vulnerability from being exploited. If services are run that require HTTP/HTTPS communication, access to those services should be restricted to trusted networks.

To disable the HTTP Server feature, use the no ip http server or no ip http secure-server command in global configuration mode. If both the HTTP server and HTTPS server are in use, both commands are required to disable the HNTTP Server feature.

After disabling the HTTP Server, use the copy running-configuration startup-configuration command to save the running-configuration. This will ensure that in the event of a system reload, the HTTP Server feature is not unexpectedly enabled.

Once the attack vector for the vulnerability has been closed, customers should perform checks to find out if the vulnerability has already been exploited. Cisco has shared Indicators of Compromise (IoCs) in its security alert.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of