Connect with us

Hi, what are you looking for?


Malware & Threats

Number of Cisco Devices Hacked via Zero-Day Remains High as Attackers Update Implant

The number of Cisco devices hacked via recent zero-days remains high, but the attackers have updated their implant.

The number of Cisco devices hacked through the exploitation of two new zero-day vulnerabilities remains very high, but recent scans appeared to show a significant drop due to the attackers updating their implant.

Unidentified hackers have been exploiting the Cisco IOS XE vulnerabilities tracked as CVE-2023-20198 and CVE-2023-20273 to create high-privileged accounts on affected devices and deploy a Lua-based backdoor implant that gives them complete control of the system. 

Patches are now available for both vulnerabilities. 

Shortly after Cisco disclosed the existence of the first flaw, the cybersecurity community started scanning the internet for compromised devices and quickly found that as many as 50,000 switches and routers had the malicious implant. 

A few days later, the scans showed that the number of hacked devices dropped to 100, with some speculating that the attackers were trying to hide the implant. The security community warned that many devices were likely still compromised, even if they did not show up during scans.

Cisco and others have confirmed that the attackers have updated the implant and compromised devices cannot be identified any longer using the initial scan method.

However, NCC Group-owned security firm Fox-IT found a new fingerprinting method and identified nearly 38,000 Cisco devices still hosting the implant. 

Vulnerability intelligence firm VulnCheck has confirmed that thousands of devices are still under the attackers’ control.

Advertisement. Scroll to continue reading.

Cisco has confirmed uncovering a new variant that “hinders identification of compromised systems”.  This second version, which attackers started deploying on October 20, has roughly the same core functionality, but adds a preliminary check for a specific HTTP authorization header.  

“The addition of the header check in the implant by the attackers is likely a reactive measure to prevent identification of compromised systems. This header check is primarily used to thwart compromise identification using a previous version of the curl command provided by Talos. Based on the information assessed to date, we believe the addition of the header check in the implant likely resulted in a recent sharp decline in visibility of public-facing infected systems,” Cisco explained.

The networking giant has shared indicators of compromise (IoCs) and instructions for checking whether a device has been hacked. 

It’s worth noting that the implant deployed by the threat actor is not persistent — it gets removed if the device is rebooted — but the high-privileged account created through the exploitation of CVE-2023-20198 remains on the device even after it has been restarted. 

This malicious campaign is reminiscent of the recent operation in which a China-linked APT targeted Barracuda ESG appliances. The attackers gained deep access to targeted systems, to the point where the vendor and the FBI urged victims to replace compromised devices

Related: Cisco Warns of IOS Software Zero-Day Exploitation Attempts

Related: Cisco ASA Zero-Day Exploited in Akira Ransomware Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.