A maximum severity CVSS 10 zero-day vulnerability in Cisco IOS XE has been exploited in the wild. Successful exploitation of this vulnerability would allow an attacker to create a user account with full administrative privileges. While no details have been provided, Cisco states that the vulnerability lies within the Web UI feature.
“On October 16, Cisco warned users of the discovery of a previously unknown zero-day in its Web User Interface (Web UI) feature of Cisco IOS XE software, and confirmed that it had been exploited in the wild. Successful exploitation could allow attackers to create an account with level 15 access, the highest privilege level that gives the user full control over the router.
Commenting on this zero-day vulnerability in Cisco IOS XE, Scott Caveza, Staff Research Engineer, Tenable, noted “With this level of access, an attacker can modify network routing rules as well as open ports for access to attacker-controlled servers for data exfiltration. When the attacker has this level of control and makes an administrative account with an innocuous name, it’s possible their activity could go undetected for quite some time. It is imperative that organisations apply the mitigations from Cisco’s security advisory as soon as possible and apply the patches as soon as they are released in order to successfully remediate this vulnerability.”