On Monday 16 October 2023, Cisco warned of a high-severity authentication bypass zero-day vulnerability affecting a wide range of products. The vulnerability allows a remote, unauthenticated actor to create privileged accounts on vulnerable systems, which can then be used to gain control of the affected system.  The vulnerability affects devices running Cisco IOS XE Software on which the web UI feature is enabled.
We recommend disabling the vulnerable web UI feature on all affected devices until Cisco releases a patch for this vulnerability.
The vulnerability tracked as CVE-2023-20198  is an authentication bypass in the web UI feature of Cisco IOS XE. Cisco IOS XE is a software used in a wide range of Cisco networking devices, including routers and switches.  The vulnerability concerns Cisco IOS XE software on which the web UI feature enabled. The products susceptible to this vulnerability (that are supported by Cisco IOS XE) are as follows :
Catalyst 9000 family
Catalyst 9800 Series
Catalyst 9100 Series
ASR 1000 Series
ASR 900 Series
NCS 4200 Series
Catalyst 8000 Edge Platforms
ISR 4000 Series
ISR 1000 Series
IR1100 Rugged Series
IR1800 Rugged Series
IR8100 Heavy Duty Series
IR8300 Rugged Series
Catalyst 8000V Edge
Converged broadband routers
We determine the impact of these vulnerabilities to be HIGH.
The identified vulnerability permits remote, unauthenticated attackers to establish an unauthorised account on the targeted system with elevated privileges. The compromised account can subsequently gain full control over the affected system, potentially disabling security features such as firewall rules or network segmentation. This in turn could lead to severe consequences such as sensitive data exfiltration and the deployment of ransomware.
We determine the risk of these vulnerabilities to be HIGH due to the widespread use of Cisco IOS XE and the susceptibility for exploitation with an enabled web UI feature. The primary risks associated with these vulnerabilities are related to privilege escalation, unauthorised access to your environment, and sensitive data exfiltration.
At the time of writing, active exploitation of CVE-2023-20198 (Web UI Privilege Escalation Vulnerability) has been observed by Cisco. 
At the time of writing, Cisco has not released any patches that address this vulnerability. Northwave recommends for users of products that use Cisco IOS XE to disable the HTTP Server feature.
To disable the vulnerable HTTP Server feature, use the following commands in global configuration mode:
no ip http server
no ip http secure-server
If both HTTP and HTTPS servers are in use, both commands are required to disabled the feature.
We recommend to also write these changes back to the startup configuration to make sure that the changes also take effect when the switch reboots.
What should you do
We recommend customers using the above mentioned products that use Cisco IOS XE to disable the HTTP Server feature as soon as possible. If you run critical services that strictly require HTTP/HTTPS communication, restrict access to those services to trusted networks.
The following command can be used to check whether the HTTP Server feature is enabled on a device:
show running-config | include ip http server|secure|active
ip http server
ip http secure-server
If found that the HTTP Server feature is enabled, we recommend to disable the feature as described in the Mitigation section above. Afterwards, please refer to the instructions shared by Cisco in  to check for known indicators of compromise.
Note: The checks regarding usernames may not be completely reliable, as attackers would be able to use any username from different IPs. If the checks regarding the implants come back positive, it is likely that the device is compromised.
Northwave also recommends to continuously monitor Cisco's official channels for updates and advisories related to this vulnerability. Cisco is actively working on a patch to address this issue, and they are expected to release it in the near future.
What will Northwave do?
We will monitor any developments regarding this vulnerability. If new critical information about this threat arises we will reach out to you. You can call us by phone or send us an email if you would like additional information.
E-mail: email@example.com Do you have an incident right now? Call our Incident Response Team: 00800 1744 0000
Disclaimer applies, see below.
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.