IOS XE software contains a serious security weakness that Cisco has warned is being actively exploited in the field.

The zero-day vulnerability, which has its roots in the web UI functionality, has been given the highest severity rating of 10.0 on the CVSS scoring system and is designated as CVE-2023-20198.

It’s important to note that the flaw only impacts corporate networking equipment when the Web UI functionality is activated, when it is accessible to the internet, or when it is connected to untrusted networks.

“This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access,” Cisco stated in an advisory issued on Monday. “The attacker can then use that account to gain control of the affected system.”

Both physical and virtual devices running Cisco IOS XE software and equipped with the HTTP or HTTPS server capability are affected by the issue. Disabling the HTTP server feature on computers that are connected to the internet is advised as a mitigating measure.

The manufacturer of networking equipment claimed to have found the issue after spotting malicious behavior on an unnamed customer device as early as September 18, 2023, in which a legitimate user established a local user account with the username “cisco_tac_admin” from a dubious IP address. On October 1, 2023, the odd behavior came to an end.

On October 12, 2023, a second cluster of connected activity was discovered. In this instance, a malicious actor established a local user account with the name “cisco_support” from a different IP address.

Following this, it is claimed that a string of events led to the deployment of a Lua-based implant, which gives the actor the ability to issue any instructions at the system or IOS level.

In circumstances when the system is fully patched against CVE-2021-1435, the implant is installed via taking advantage of CVE-2021-1435, a now-patched vulnerability affecting the web UI of Cisco IOS XE Software, as well as a still-unknown technique.

“For the implant to become active, the web server must be restarted; in at least one observed case the server was not restarted so the implant never became active despite being installed,” Cisco stated.

The backdoor, which is stored under the file path “/usr/binos/conf/nginx-conf/cisco_service.conf,” is not durable, thus it will be removed if the device is restarted. Nevertheless, the generated rogue privileged accounts are still in use.

Despite the fact that it is still unclear where the threat actor originated, Cisco has linked the two sets of operations to what it believes to be the same threat actor.

“The first cluster was possibly the actor’s initial attempt and testing their code, while the October activity seems to show the actor expanding their operation to include establishing persistent access via deployment of the implant,” the business stated.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released an alert in response to the discovery and added the vulnerability to its list of “Known Exploited Vulnerabilities” (KEV).

State-sponsored attacks on international network infrastructure were reported by U.K. and U.S. cybersecurity and intelligence agencies in April 2023. Cisco stated that route/switch devices are a “perfect target for an adversary looking to be both quiet and have access to important intelligence capability as well as a foothold in a preferred network.”