Exploit for the critical vulnerability of the CVE-2023-20198 in Cisco IOS XE, used to hack tens of thousands of devices, became publicly available. Cisco has issued corrections for most versions of iOS XE, but thousands of systems are still compromised.
Researchers from horizon3.ai have uncovered the technique by which attackers can bypass authentication on vulnerable Cisco IOS XE devices. Experts demonstrated how attackers can utilize a highly hazardous vulnerability to create a new user with level 15 rights, granting them full control over the device.
The creation of this exploit was made possible through information obtained from a bait (honeypot) installed by the secuinfra team for the purpose of combating digital crime and incident response.
Cisco has updated its security bulletin for CVE-2023-20198, announcing the release of updates for iOS XE to address the vulnerability. Currently, version 17.3 remains the only one still affected by the issue, as the new release is not yet available. The company has also resolved the problem in software updates (Software Maintenance Updates, SMU). The latest software versions are accessible through the Cisco download center.
According to Shodan, the threat could potentially impact up to 80,000 devices connected to the network. However, this number suddenly decreased when hackers changed the malicious code, rendering many hacked devices invisible by adding an authorization title before the response. As of October 26, approximately 28,900 Cisco IOS XE hosts with signs of compromise were identified on the network, based on reports.