Hackers have exploited an unpatched zero-day vulnerability in Cisco’s networking software to compromise tens of thousands of devices, researchers have warned.
Cisco on Monday issued an advisory warning that a critical-rated vulnerability in IOS XE, the software that powers the company’s range of networking devices, was being actively exploited by hackers. Cisco said the bug was found in the IOS XE web administration interface, which can be exploited when an affected device is exposed to the internet.
The list of devices running Cisco IOS XE software includes enterprise switches, wireless controllers, access points and industrial routers, which corporations and smaller organizations use to manage their network security.
In a separate blog post, Cisco’s threat intelligence arm Talos said that as-yet-unidentified hackers have been exploiting the bug — known as a zero-day, a type of vulnerability discovered by attackers before the vendor has had time to fix it — since at least September 18. Cisco Talos said that successful exploitation grants an attacker “full control of the compromised device” that allows for “possible subsequent unauthorized activity” on the corporate victim’s network.
Cisco has not yet commented on the scale of the exploitation.
However, Censys, a search engine for internet-connected devices and assets, says it had observed nearly 42,000 compromised Cisco devices as of October 18, noting a “sharp increase” in infections compared to the previous day.
In its analysis of the flaw, Censys says the majority of compromised devices are located in the United States, followed by the Philippines and Mexico. Censys said the hackers are targeting telecommunications companies that offer internet services to both households and businesses.
“As a result, the primary targets of this vulnerability are not large corporations but smaller entities and individuals who are more susceptible,” Censys researchers said.
Zero patch for zero-day
Cisco has not yet released a patch for the zero-day vulnerability, which has received the maximum severity rating of 10.0. Cisco spokesperson Alyssa Martin, representing the company via a third-party agency, told TechCrunch that the company is “working non-stop to provide a software fix,” but declined to say when the patch would be made available.
It’s not yet known how many devices are potentially vulnerable, but Cisco said in its advisory that the zero-day affected both physical and virtual devices running IOS XE software that have the HTTP or HTTPS server feature enabled. In lieu of a patch, Cisco is “strongly” recommending that customers disable the HTTP Server feature on all internet-facing systems.
It’s also unclear who is exploiting the vulnerability. Cisco Talos said that after discovering initial exploitation of the zero-day in September, it observed activity on October 12, which it assesses was carried out by the same actor. “The first cluster was possibly the actor’s initial attempt and testing their code, while the October activity seems to show the actor expanding their operation to include establishing persistent access via deployment of the implant,” Cisco said.
Cisco warned that the as-yet-unidentified attackers also leveraged a previous vulnerability, CVE-2021-1435, which Cisco patched in 2021, to install the implant after gaining access to the device.
“We have also seen devices fully patched against CVE-2021-1435 getting the implant successfully installed through an as of yet undetermined mechanism,” the researchers said.
In addition to disabling the HTTP Server feature, Cisco urged administrators of potentially compromised devices to immediately search their networks for signs of compromise. CISA, the U.S. government’s cybersecurity agency, is also urging federal agencies to deploy mitigations by October 20.