top of page
  • Writer's pictureJohn Cook

Infection of over 40,000 Cisco IOS XE devices with a zero-day backdoor

Over 40,000 Cisco devices running the IOS XE operating system were affected by hackers using a newly found maximum severity vulnerability tracked as CVE-2023-20198.

Customers are recommended to "deactivate the HTTP Server feature on all internet-facing systems" to secure their devices because there is no patch or solution currently available. Enterprise switches, industrial routers, access points, wireless controllers, aggregation, and branch routers all support the networking operating system Cisco IOS XE.

Tens of thousands of Cisco devices have been compromised

Around 10,000 Cisco IOS XE machines were initially thought to have been compromised, but when security researchers searched the internet for a more accurate number, the number started to climb.

On Tuesday, October 17, the LeakIX indexing service for web apps and services that are publicly available on the web reported discovering about 30,000 affected devices, excluding restarted workstations. The search used Cisco's indications of compromise (IoCs) to assess whether CVE-2023-20198 was already successfully exploited on an exposed device, and it turned up thousands of affected hosts in Chile, the Philippines, and the United States.

Source: LeakIX ( ix/status/1714342183141028307) LeakIX results for Cisco IOS XE devices exposed online.

The private CERT from Orange reported on Wednesday 18 October 2023, that more than 34,500 Cisco IOS XE IP addresses had malicious implants because of exploiting CVE-2023-20198. This information was confirmed by Cisco using the same verification method. Additionally, CERT Orange provided a Python script ( CVE-202320198) to test for the presence of a malicious implant on a network device running Cisco IOS XE.

The Censys search platform, which evaluates the attack surface for devices connected to the internet, reported an update on October 18 ( ), noting an increase to 41,983 compromised devices.

On the open web, Censys results for Cisco IOS XE hosts are as follows: Censys

It is difficult to determine the exact number of Cisco IOS XE devices that can be accessed via the open internet, but Shodan displays slightly more than 145,000 hosts, the majority of which are in the United States. Nearly 90,000 hosts were discovered to be exposed on the internet when security researcher Yutaka Sejiyama ( naha ) searched Shodan for Cisco IOS XE devices vulnerable to CVE-2023-20198.

Many of the devices in the country come from service providers in the communications industry, including Google Fiber, Comcast, Verizon, Cox Communications, Frontier, AT&T, Spirit, CenturyLink, and Charter. Sejiyama's list also includes government agencies, banks, hospitals, medical facilities, universities, sheriff's offices, school districts, convenience stores, and banks.

After device reboot, risk remains

Although threat actors were using CVE-2023-20198 before September 28, when it was a zero-day, to set up a high-privilege account on vulnerable hosts and take complete control of the device, Cisco only publicly disclosed it on Monday 16 October 2023.

On 17 October 2023, Cisco added new attacker IP addresses and usernames to its advisory ( ), as well as updated rules for Snort, an open-source network intrusion detection and intrusion prevention system. The researcher noted that the threat actors behind these attacks are releasing a non-persistent, harmful implant that is uninstalled after a device reboot. The brand-new accounts that it assisted in making are nevertheless still in use and "have level 15 privileges, meaning they have full administrator access to the device."

According to Cisco's analysis, the threat actor gathers information about the device and conducts initial reconnaissance work. Additionally, the attacker is deleting users and clearing logs, most likely to conceal their activity. Although they were unable to identify the initial delivery method, the researchers believe that only one threat actor is responsible for these attacks. Cisco has not provided any further information regarding the attacks, but it has promised to do so once the investigation is over and a fix is available.



bottom of page