Patch Coming for Cisco IOS XE Software Vulnerabilities, Exploitations Mount

Cisco has identified a patch to a previously unknown vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software.

Cisco reported active exploitation of the vulnerability earlier this week. Through its ongoing investigation, it uncovered the attacker combined two vulnerabilities to bypass security measures, the first for initial access and the second to elevate privilege once authenticated.

Cisco estimates initially releasing the patch that covers both vulnerabilities to customers starting Oct. 22. However, there are actions customers can take immediately.

Cisco strongly recommends that customers disable the HTTP Server feature on all internet-facing systems or restrict its access to trusted source addresses.

Web UI is an embedded graphical user interface (GUI)-based system-management tool that provides the ability to provision the system, to simplify system deployment and manageability, and to enhance the user experience. It comes with the default image, so there is no need to enable anything or install any license on the system. Web UI can be used to build configurations, as well as to monitor and troubleshoot the system without command line interface (CLI) expertise.

Cisco IOS XE Systems Compromised

Earlier this week, researchers at VulnCheck performed an internet scan and identified more than 10,000 compromised Cisco IOS XE systems that had been implanted with the unidentified threat actor(s) remote access tools.

According to Horizon.ai, attackers with this type of unfettered remote access to a network device could take the following actions with associated impacts:

Horizon.ai’s Josh Foster

Horizon3.ai Attack Team technical manager Josh Foster said the active exploitation of this vulnerability “demonstrates the relentless efforts by malicious actors to exploit system weaknesses, making it imperative for organizations to apply immediate patches and also have a long-term, sustainable cybersecurity strategy in place.”

“Regularly monitoring system logs for unusual activities, training staff to recognize potential threats, having an incident response plan ready, and subscribing to a routine of frequent internal and external penetration testing are some of the key steps in creating a resilient cybersecurity infrastructure,” he said.