When exposed to the Internet or to untrusted networks, the web UI feature of Cisco IOS XE Software has a vulnerability [CVE-2023-20198] that allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system.
See the resource center.
- Cisco has released a fix for version 17.9.4a. All prior versions are considered vulnerable if the HTTP service is exposed. Refer to the Recommendations section of the Cisco advisory for updates on the status of their investigation and when a software patch is available.
- The Bitsight Vulnerability Research team expects to be able to produce a “suspected exposure” capability for this vulnerability. The timeline is currently unknown as the capability is currently being evaluated.