Go back

Widespread Cisco IOS XE Implants in the Wild

Jacob Baines@Junior_Baines

Key Takeaways

CVE-2023-20198 appears to have been widely exploited to install implants on Cisco IOS XE systems.
VulnCheck performed an internet scan and found thousands of implanted hosts.
VulnCheck released a scanner to detect the implant on affected devices.

On October 16, 2023 Cisco disclosed an authentication bypass, CVE-2023-20198, affecting Cisco IOS XE. The disclosure reported that the vulnerability had been exploited in the wild to help install implants on affected switches and routers. Additionally, Cisco shared a simple technique to determine if an IOS XE device had an active implant on it. The implant responds with an 18-character hexadecimal string when a specific HTTP POST is sent to the system:

$ curl -X POST

Cisco buried the lede by not mentioning thousands of internet-facing IOS XE systems have been implanted. VulnCheck scanned internet-facing Cisco IOS XE web interfaces and found thousands of implanted hosts. This is a bad situation, as privileged access on the IOS XE likely allows attackers to monitor network traffic, pivot into protected networks, and perform any number of man-in-the-middle attacks.

VulnCheck has released the scanner used to find implanted systems on the internet.

$ ./implant-scanner -rhost -rport 80 -a -v -c | grep “implant-id”
time=2023-10-17T05:32:29.522-04:00 level=SUCCESS msg=Found implant-id=1a80b7389ccd0a5dab rhost=2192.168.1.1 rport=80 ssl=false

If your organization uses an IOS XE system, it's imperative that you determine if your systems have been compromised and take appropriate action once implants have been discovered. While a patch is not yet available, you can protect your organization by disabling the web interface and removing all management interfaces from the internet immediately.

For additional guidance, read Cisco PSIRT’s advisory. Additionally, Cisco Talos wrote an informative blog about discovery of the issue.

In the Spotlight