Almost 42K Cisco IOS XE devices exploited, no patch available

Security researchers located tens of thousands of exploited hosts linked to a critical zero-day vulnerability in the web user interface of Cisco IOS XE software. 

Censys researchers found almost 42,000 exploited devices with a backdoor installed, according to a Wednesday blog post. Cisco hasn’t yet released a patch or provided a timeline for when one will be available.

The widely-exploited vulnerability, tracked as CVE-2023-20198, can allow a remote, unauthenticated attacker to gain control over a system with full access to all commands. 

“We’ve seen an increase in the number of infected devices each time we run a manual scan of known Cisco IOS XE Web UI devices,” Emily Austin, senior security researcher at Censys, said via email. 

Censys’ initial scan on Tuesday observed 34,140 infected hosts, which represented more than half of the 67,445 total hosts utilizing the Cisco web interface at the time. 

As of Tuesday, the U.S. had the highest number of infections, with 4,659, followed by the Philippines, with 3,224. The impacted organizations appear to be telecommunications companies providing services mainly to small business organizations and remote business users.

More than 22,000 exploited IOS XE devices were observed by researchers at Palo Alto Networks’ Unit 42 team Wednesday. 

Cisco officials said the company is working to develop a patch, however warned there are no existing workarounds. The company urged users to disable the HTTP Server feature on internet-facing systems.