Cisco Devices Compromised In Large-scale Zero-Day Exploitation


Recently, it has come to light that hackers have taken advantage of an unpatched zero-day vulnerability in Cisco’s networking software, resulting in the compromise of tens of thousands of devices. This critical-rated vulnerability resides in the IOS XE software, which powers a range of Cisco’s networking devices. The company has issued an advisory, warning users about the active exploitation of the bug. The vulnerability specifically targets the IOS XE web administration interface, which becomes vulnerable when the affected device is exposed to the internet.

Key Takeaway

Hackers have exploited an unpatched zero-day vulnerability in Cisco’s networking software, compromising tens of thousands of devices. The vulnerability affects the IOS XE web administration interface and can be exploited when the affected device is exposed to the internet.

Cisco devices running the IOS XE software include enterprise switches, wireless controllers, access points, and industrial routers. These devices are extensively utilized by corporations and smaller organizations to manage their network security. According to Cisco’s threat intelligence arm Talos, unidentified hackers have been exploiting this zero-day vulnerability, referred to as a vulnerability that attackers discover before the vendor can address it, since at least September 18. Successful exploitation of the vulnerability grants the attacker full control of the compromised device, allowing for possible unauthorized activity on the victim’s network.

Although Cisco has not provided details about the scale of the exploitation, Censys, a search engine for internet-connected devices, reports that it has observed nearly 42,000 compromised Cisco devices as of October 18. These compromised devices are primarily located in the United States, followed by the Philippines and Mexico. Hackers are focusing on telecommunications companies that offer internet services to households and businesses, targeting smaller entities and individuals who are more susceptible.

Despite the severity of the vulnerability, Cisco has not yet released a patch for the zero-day. The company is actively working on providing a software fix but has not disclosed a specific timeline. In the absence of a patch, Cisco strongly advises customers to disable the HTTP Server feature on all internet-facing systems. It is uncertain who is behind the exploitation of this vulnerability. Cisco Talos suggests that the actor responsible initially tested their code in September, followed by expanded operations to establish persistent access through the deployment of an implant in October.

In addition to exploiting the zero-day vulnerability, the attackers have leveraged a previous vulnerability, CVE-2021-1435, which Cisco patched in 2021, to install the implant after gaining access to the device. Furthermore, Cisco recommends that administrators of potentially compromised devices immediately search their networks for indications of compromise. The U.S. government’s cybersecurity agency, CISA, is urging federal agencies to deploy mitigations by October 20 to address this ongoing threat.

Leave a Reply

Your email address will not be published. Required fields are marked *