Cisco IOS XE Web UI Implant (CVE-2023-20198)
Description
CVE-2023-20198 is a critical privilege escalation vulnerability in the Cisco IOS XE Web UI that allows unauthenticated remote attackers to create accounts with full administrative privileges. Threat actors have actively exploited this vulnerability to deploy a persistent implant that grants unauthorized users complete system access. The implant enables attackers to bypass authentication mechanisms and execute arbitrary commands on affected devices.
Remediation
1. Immediately disable the HTTP Server feature on internet-facing systems using the command 'no ip http server' or 'no ip http secure-server' in global configuration mode if the Web UI is not required.
2. Restrict Web UI access to trusted management networks only using access control lists (ACLs).
3. Check for indicators of compromise by looking for newly created user accounts with privilege level 15, particularly those named with hexadecimal patterns.
4. Upgrade to a patched Cisco IOS XE software version as specified in the Cisco Security Advisory.
5. If the implant is detected, perform a complete device reload and restore from a known-good configuration backup after upgrading to a patched version.
6. Review all user accounts and remove any unauthorized entries.
7. Monitor system logs for suspicious authentication attempts and configuration changes.