CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?



Rockwell Automation Warns Customers of Cisco Zero-Day Affecting Stratix Switches

Rockwell Automation has warned customers about the impact of the actively exploited Cisco IOS XE zero-day on its Stratix industrial switches.

Rockwell Automation has warned customers about the impact of an actively exploited Cisco IOS XE zero-day vulnerability on its Stratix industrial switches.

Unidentified hackers have been exploiting two Cisco IOS XE zero-day vulnerabilities tracked as CVE-2023-20198 and CVE-2023-20273 to create high-privileged accounts on affected devices and deploy a Lua-based implant that gives them complete control of the system.

The cybersecurity community discovered tens of thousands of compromised systems shortly after Cisco disclosed the existence of the first zero-day. 

Rockwell informed customers last week that its Stratix 5800 and 5200 managed industrial Ethernet switches, which use the Cisco IOS XE operating system, are affected by CVE-2023-20198. The devices are only impacted if the IOS XE web UI feature is enabled.

[ Read: SecurityWeek’s 2023 ICS Cybersecurity Conference Kicks Off in Atlanta ]

Since it was published before the discovery of the second zero-day, Rockwell’s security advisory does not mention anything about CVE-2023-20273, which attackers have been using to deliver the implant. However, this flaw also impacts IOS XE software, which means that it likely affects Rockwell’s switches as well. 

Rockwell’s advisory says no patches are available, but Cisco did release fixes after the advisory was published. The industrial automation giant has promised to share updates as more information becomes available, but pointed out that it’s not aware of attacks targeting its products.

“While Rockwell Automation has no evidence of active exploitation against the Stratix product line, this vulnerability was discovered by Cisco Talos during an incident response for a Cisco customer,” the company said.  

Advertisement. Scroll to continue reading.

The US cybersecurity agency CISA published its own advisory on Tuesday to notify organizations of Rockwell’s advisory. 

It’s unclear what the attackers’ goal is at this point. They still have control of tens of thousands of Cisco routers and switches, and they have updated their implant in an effort to maintain control.  

Related: APT Exploit Targeting Rockwell Automation Flaws Threatens Critical Infrastructure

Related: Organizations Informed of Over a Dozen Vulnerabilities in Rockwell Automation Products

Related: US Probing Cybersecurity Risks of Rockwell Automation’s China Operations: Report

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.


Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).


Cybersecurity firm Forescout shows how various ICS vulnerabilities can be chained for an exploit that allows hackers to cause damage to a bridge.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...


More than 1,300 ICS vulnerabilities were discovered in 2022, including nearly 1,000 that have a high or critical severity rating.