17 October 2023

2 min read

Cyber threat advisory: Cisco IOS XE products

Cyber security
Cisco IOS XE

S-RM has identified an active exploitation of a critical vulnerability affecting Cisco IOS XE products. Cisco IOS XE is an operating system used on Cisco networking appliances such as routers and switches.

On 16 October 2023, NIST published the vulnerability (CVE-2023-20198) and assigned it a criticality score of CVSS 10, the highest level of criticality possible. Given the widespread use of Cisco IOS XE products, we assess that this vulnerability could have a significant impact and could become widely exploited by threat actors to gain access to client environments. According to Cisco, this vulnerability has been actively exploited in the wild since 18 September 2023. Additional details can be found here.

Currently there is no patch for this vulnerability.

We recommend that if your organisation uses Cisco appliances running IOS XE, you urgently confirm whether these appliances have or have had the HTTP or HTTPS interface enabled. If these interfaces are enabled, and the appliance is publicly accessible from the internet, we recommend that you immediately disable both HTTP and HTTPS interfaces.  

Furthermore, Cisco have identified several indicators of compromise associated with the exploitation of this vulnerability. If you do or did have Cisco IOS XE products publicly exposed since 18 September 2023, you should search for these indicators to confirm that your appliance has not already been compromised. This includes: 

1. Any suspicious activity from these accounts:

  • cisco_tac_admin
  • cisco_support
  • any other unrecognised account

2. Activity originating from the following IP addresses.

  • 5.149.249[.]74
  • 154.53.56[.]231

3. The file: cisco_service.conf  (potentially located at the following path: /usr/binos/conf/nginx-conf/cisco_service.conf)

  • The presence of the file name cisco_service.conf on the relevant appliance.
  • Reference to the cisco_service.conf file name in any logs on the appliance.

4. Suspicious activity in the system logs.

  • “%SYS-5-CONFIG_P: Configured programmatically by process SEP_webui_wsma_http from console as user on line”
    • This entry would be recorded in the system logs if a user accesses the HTTP/S interface from the internet. If present, verify whether it is expected or not.
  • “%SEC_LOGIN-5-WEBLOGIN_SUCCESS: Login Success”
    • This entry would be recorded in the system logs if a user successfully logged in through the interface. If present, verify whether the user account and IP address are legitimate and expected.
    • This entry would be recorded in the system logs if any files were successfully installed on the system. Review which files are listed in the specific entry and confirm whether they are legitimate and expected.

If you identify any of these indicators of compromise on your network, or would like any advice on how to remediate a compromise, please reach out to our incident response hotline at cyberir@s-rminform.com.

Gavin Hull
Gavin Hull
Associate Director, Cyber Security

Gavin Hull is an Associate Director, Technical Lead in the Cyber Incident Response capability of S-RM. He joined in 2022 and now leads the technical development of the Incident Response function, while also providing oversight and expert advice on a wide variety of cyber defence cases and projects. His background includes over nine years in cyber security, where he has led and supported the investigation, containment and remediation of threats that had targeted clients from a diverse set of industries. The types of incidents include advance persistent threats,  big game hunting, ransomware, insider threats, crypto-jacking, business email account compromise, cloud tenant hijacking, and other sophisticated attacks.

Kyle Schwaeble
Kyle Schwaeble
Senior Associate, Cyber Security

Kyle Schwaeble is a senior associate on S-RM’s cyber security team, bringing expertise in incident response management and, particularly, the secure restoration and recovery from cyber incidents such as ransomware attacks and business email compromises. In addition to his incident response work, Kyle has also supported multinational clients with their security transformation programmes, advising on the development and implementation of new technological, procedural, and cultural security controls.  

Kyle joined S-RM in 2019, initially working as an analyst in the Corporate Intelligence team, where he supported various corporate and diligence investigations. He holds a BCom(LLB) from Stellenbosch University in South Africa and is GSEC certified. 

Gavin Hull
Gavin Hull

Associate Director, Cyber Security

Kyle Schwaeble
Kyle Schwaeble

Senior Associate, Cyber Security

Share this post

Subscribe to our insights

Get industry news and expert insights straight to your inbox.