CVE-2023-20198

Name of the Vulnerable Software and Affected Versions Cisco IOS XE Software versions prior to patch availability.

Description Cisco is aware of active exploitation of a previously unknown vulnerability in the web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks. This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. This allows the attacker to gain full control of the system. The vulnerability is tracked as CVE-2023-20198 and has a CVSS score of 10.0. The vulnerability has been actively exploited, with over 40,000 devices compromised. Threat actors, including the China-linked Salt Typhoon group, have exploited this vulnerability to breach telecommunications companies, retrieve configuration files, and establish GRE tunnels for data exfiltration. A Lua-based web shell, known as BADCANDY, is being used to maintain persistence even after reboots. The vulnerability affects devices with the Web UI feature enabled.

Recommendations Disable the HTTP Server feature on all internet-facing systems.