Cisco has announced a fix for a vulnerability in its IOS XE software that allowed attackers to create privileged accounts on vulnerable devices.
The vendor said last week that the vulnerability was under exploitation by attackers, and promised to update customers when a patch was available.
On October 22, it updated its advisory to confirm a patch is now available.
At the same time, the company also expanded the scope of the advisory.
In addition to the original vulnerability, CVE-2023-20198, Cisco’s investigation revealed a second zero-day bug used in the attacks, designated CVE-2023-20273.
The attackers utilised the account they created using CVE-2023-20198 to exploit CVE-2023-20273.
“The attacker then exploited [CVE-2023-20273] leveraging the new local user to elevate privilege to root and write the implant to the file system,” the updated advisory said.
Users unable to upgrade can disable the web UI.
Fixes have been released for IOS XE versions 17.9, 17.6, 17.3, and for Catalyst 2650 and 3850 units, 16.12.
IOS XE is a Linux-based variant of Cisco’s IOS operating system, and is used in a variety of switch, router, and virtual router products.
