Cisco has warned of a critical, unpatched security flaw impacting IOS XE software that’s under active exploitation in the wild.
Rooted in the web UI feature, the zero-day vulnerability is assigned as CVE-2023-20198 and has been assigned the maximum severity rating of 10.0 on the CVSS scoring system.
It’s worth pointing out that the shortcoming only affects enterprise networking gear that have the Web UI feature enabled and when it’s exposed to the internet or to untrusted networks.
“This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access,” Cisco said in a Monday advisory. “The attacker can then use that account to gain control of the affected system.”
The problem impacts both physical and virtual devices running Cisco IOS XE software that also have the HTTP or HTTPS server feature enabled. As a mitigation, it’s recommended to disable the HTTP server feature on internet-facing systems.