Cisco addressses critical software flaw in IOS XE, a vulnerability frequently targeted for attacks
=============================================================================
In a recent cybersecurity incident, an unidentified hacker exploited two previously unknown security issues in the Cisco IOS XE software: CVE-2023-20198 and CVE-2023-20273. These vulnerabilities allowed the hacker to gain unauthorized elevated privileges on Cisco devices.
CVE-2023-20198, a zero-day vulnerability in the Cisco IOS XE web UI, granted attackers unauthenticated access, enabling them to create high-privilege accounts on the device without valid credentials. CVE-2023-20273 is a related privilege escalation vulnerability, exploited after initial unauthorized access, allowing attackers to increase their privileges further.
These vulnerabilities were actively exploited by sophisticated threat actors, notably the Salt Typhoon group, to infiltrate US National Guard networks and other critical infrastructure, maintaining long-term, undetected access for at least nine months.
Attackers used these vulnerabilities to establish persistent, stealthy access and perform extensive network mapping and intelligence gathering while avoiding detection. Compromised devices or their malicious activity appeared offline or invisible to defenders, making traditional visibility tools ineffective until the security fixes were applied.
Cisco released a security fix on Sunday to address these critical zero-day vulnerabilities. Prior to the security release, researchers were no longer able to see the vast majority of infected devices online.
Recommended mitigations from Cisco and security experts include: - Applying the official Cisco security patches and updates immediately to close the exploited vulnerabilities. - Removing or disabling unauthorized accounts created by attackers. - Monitoring for suspicious activity such as unexpected administrator account creation or web UI access attempts. - Using network detection tools updated with signatures/rules for the associated attack patterns. - Enforcing least privilege and strong authentication for management interfaces to limit attack surface.
In summary, these two vulnerabilities allowed attackers unauthenticated initial access and subsequent privilege escalation, enabling stealthy network infiltration with compromised devices not showing in status or monitoring views prior to patching. Rapid application of patches and enhanced monitoring are critical mitigations.
This analysis is based primarily on detailed incident reports on Salt Typhoon attacks and Cisco advisory information from mid-2025. On October 12, Cisco Talos Incident Response and Cisco's Technical Assistance Center discovered an additional cluster of activity related to these vulnerabilities. The activities are believed to be from the same hacker, but the identity of that threat actor has not been disclosed.
[1] Salt Typhoon Attack Report, Cisco Talos, 2025 [3] Cisco IOS XE Software Zero-Day Vulnerabilities, Cisco Security Advisory, 2025 [4] Cisco IOS XE Software Zero-Day Vulnerabilities: A Deep Dive, ShadowServer, 2025
- Following the exploitation of two new vulnerabilities, specifically CVE-2023-20198 and CVE-2023-20273, in the Cisco IOS XE software, cybersecurity incidents have highlighted the importance of incident response strategies and modern technology in dealing with cybercrime and general-news events.
- The incident involving the Cisco IOS XE software vulnerabilities showcases how cybersecurity threats can lead to significant incidents, with hackers gaining unauthorized access and elevated privileges, as seen in the Salt Typhoon attacks against US National Guard networks and other critical infrastructure.
- The ongoing cybersecurity threat landscape underscores the need for improved cybersecurity measures, technology, and incident response plans to address vulnerabilities, reduce the risk of attacks, and mitigate the potential impact of cybercrime on crime-and-justice systems.
