October 18, 2023

Cisco users have been advised to disable the web UI feature on all internet-facing devices immediately after the company disclosed a critical zero-day vulnerability in its IOS XE software that is being actively exploited in the wild.

The vulnerability, CVE-2023-20198, allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access, essentially giving them complete control of the device.

Cisco says the flaw affects physical and virtual devices running its IOS XE software, with the HTTP or HTTPS Server feature turned on. The networking giant hasn’t published a full list of devices that are at risk.

Also, there’s no patch or workaround. Hence, Cisco “strongly recommends” that customers disable this feature on all internet-facing systems. This also echoes guidance from the U.S. Cybersecurity and Infrastructure Security Agency on how to mitigate risk from internet-exposed management interfaces.

“To disable the HTTP Server feature, use the no ip http server or no ip http secure-server command in global configuration mode,” Cisco’s advisory recommends . “If both the HTTP server and HTTPS server are in use, both commands are required to disable the HTTP Server feature.”

The sources for this piece include an article in TheRegister.