Bilgesu Erdem
Cisco‘s IOS XE software suffers from a critical, unpatched security flaw rooted in its web UI feature. Identified as CVE-2023-20198, this vulnerability has a severity rating of 10.0 on the CVSS scale. It specifically targets enterprise networking equipment with the Web UI feature, especially when exposed to the internet or untrusted networks.
Upon exploitation, attackers can remotely create an account with high-level access privileges. This account can then be used to commandeer the affected system. Suspicious activities, including the creation of local user accounts from shady IP addresses, were detected on customer devices in September and October 2023.
Remarkably, one of these attacks involved the deployment of a Lua-based implant to run arbitrary commands at system or IOS levels. Although the origins of these attacks remain uncertain, Cisco believes that both sets of activities can be attributed to the same threat actor. As a response to these developments, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory.
Earlier in April 2023, there were alerts on state-sponsored campaigns targeting global network infrastructures, with Cisco emphasizing the allure of Route/switch devices to potential adversaries.
Milesight Routers Vulnerability Actively Exploited
Industrial cellular routers from Milesight face potential exploitation due to a high-severity flaw. Identified as CVE-2023-43261, the flaw leads to information disclosure in specific router versions, granting attackers access to sensitive logs and credentials.
Consequently, this vulnerability enables attackers to gain unauthorized access to the web interface, which could compromise VPN servers and negate firewall protections. In certain routers, there’s also the capability of sending and receiving SMS messages, potentially leading to fraudulent financial actions.
Recent findings indicate that this flaw may already have been exploited, with certain systems in France, Lithuania, and Norway being the targets. Extracted credentials from the logs imply the use of CVE-2023-43261 in these attacks. Considering the global presence of Milesight routers, only a small percentage are deemed vulnerable due to firmware versions. Nevertheless, it’s advisable for Milesight router owners to reset their system credentials.
The exploitation of vulnerabilities in both Cisco and Milesight routers underscores the increasing challenges in maintaining cybersecurity. As routers are integral to global communication infrastructure, securing them remains paramount. Companies and individual users are encouraged to stay updated on software patches, maintain active monitoring of their systems, and engage in proactive measures to minimize risks.
