Posts

Exploitation of Cisco IOS XE vulnerabilities affecting UK organisations

Organisations are encouraged to take action to mitigate vulnerabilities affecting Cisco IOS XE (CVE-2023-20198 and CVE-2023-20273) and follow the latest vendor advice.

What has happened?

Cisco has published an updated advisory detailing two vulnerabilities affecting Cisco IOS XE devices. Both are being actively exploited.

CVE-2023-20198 – A remote, unauthenticated attacker could create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system.

CVE-2023-20273 – A remote, authenticated attacker could inject arbitrary commands as the root user.

The NCSC is working with UK organisations known to be impacted and have notified affected UK organisations signed up for the NCSC Early Warning service.


Who is affected?

Organisations using Cisco IOS XE devices.

The NCSC will continue to monitor the impact of these vulnerabilities on UK organisations.


What should I do?

The NCSC recommends following vendor best-practice advice to mitigate vulnerabilities. In this case, if you use Cisco IOS XE devices, you should take these priority actions:

  1. Check for compromise using the detection steps and indicators of compromise (IoCs) detailed in the Cisco advisory.
  2. If you believe you have been compromised and are in the UK, you should report it to the NCSC.
  3. Disable the HTTP Server feature on all internet-facing devices, or restrict access to trusted networks.
  4. Install the latest version of Cisco IOS XE. More information is on the Cisco website. Organisations should monitor that advisory for the latest information and software updates.

NCSC guidance, services and tools

The NCSC provides a range of free guidance, services and tools that help to secure systems: