Connect with us

Hi, what are you looking for?


Malware & Threats

Cisco Finds Second Zero-Day as Number of Hacked Devices Apparently Drops

Cisco has found a second zero-day vulnerability that has been exploited in recent attacks as the number of hacked devices has started dropping.

Cisco zero-day CVE-2023-20198 exploited

Cisco has found a second actively exploited IOS XE zero-day vulnerability, with the company disclosing it just as the number of hacked devices appears to have dropped significantly.

The networking giant warned customers last week that threat actors have exploited a zero-day since at least mid-September. The critical flaw, tracked as CVE-2023-20198, affects the IOS XE web interface and it can be exploited by remote, unauthenticated attackers to create high-privileged accounts on targeted Cisco devices.

After creating new accounts on devices and gaining root privileges on the system, the attackers have been observed delivering a Lua-based implant that enables them to execute arbitrary commands. 

Cisco initially said the attackers exploited an older IOS XE command injection vulnerability tracked as CVE-2021-1435 to deploy the implant, but noted that it had also detected attacks on systems patched against this vulnerability, suggesting that another zero-day may be involved.

The company has now confirmed that a second zero-day has been exploited to deliver the implant. This new security hole is tracked as CVE-2023-20273.

“The attacker first exploited CVE-2023-20198 to gain initial access and issued a privilege 15 command to create a local user and password combination. This allowed the user to log in with normal user access,” Cisco explained in its advisory. “The attacker then exploited another component of the web UI feature, leveraging the new local user to elevate privilege to root and write the implant to the file system.”

CVE-2021-1435 is no longer believed to be involved in these attacks, Cisco said.

When it first disclosed the attacks, Cisco only provided mitigations, but the company has now released patches for both vulnerabilities. However, in addition to installing the patches, organizations will need to perform other actions to clean up their systems. 

Advertisement. Scroll to continue reading.

Various cybersecurity companies have been scanning the internet for systems hacked as part of this campaign and at one point identified more than 40,000 compromised Cisco switches and routers, with some seeing as many as 53,000 devices.  

The cybersecurity community is now seeing a sharp drop in the number of infected devices, with the Shadowserver Foundation finding the backdoor on only 100 systems. 

CERT Orange Cyberdefense believes the attackers may be trying to hide the implant and warned that there are still likely many hacked devices, even if they no longer show up in scans.

It’s worth noting that while the account created via the exploitation of CVE-2023-20198 is persistent, the implant is not, and it gets removed when the device is rebooted.

No information is available on who may be behind these attacks or what their goal may be. 

The US cybersecurity agency CISA has released guidance for addressing CVE-2023-20198 and CVE-2023-20273. It has also added both vulnerabilities to its Known Exploited Vulnerabilities Catalog, instructing federal agencies to immediately address them.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.