id: cisco-implant-detect info: name: Cisco IOS XE - Impant Detection author: DhiyaneshDK,rxerium severity: critical description: | Cisco is aware of active exploitation of a previously unknown vulnerability in the web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks. This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system. remediation: | Disable the HTTP server feature on internet-facing systems by running one of the following commands in global configuration mode: 'no ip http server' or 'no ip http secure-server'. reference: - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z - https://www.bleepingcomputer.com/news/security/cisco-warns-of-new-ios-xe-zero-day-actively-exploited-in-attacks/ - https://socradar.io/cisco-warns-of-exploitation-of-a-maximum-severity-zero-day-vulnerability-in-ios-xe-cve-2023-20198 - https://github.com/vulncheck-oss/cisco-ios-xe-implant-scanner/blob/main/implant-scanner.go metadata: verified: true max-request: 2 shodan-query: http.html_hash:1076109428 product: ios_xe vendor: cisco tags: backdoor,cisco,ios,kev http: - raw: - | GET /webui HTTP/1.1 Host: {{Hostname}} - | POST /webui/logoutconfirm.html?logon_hash=1 HTTP/1.1 Host: {{Hostname}} Authorization: 0ff4fbf0ecffa77ce8d3852a29263e263838e9bb redirects: true max-redirects: 3 matchers-condition: and matchers: - type: regex part: body_1 regex: - 'webui-centerpanel-title' - type: regex part: body_2 regex: - '^([a-f0-9]{18})\s*$' - type: dsl dsl: - status_code_2 == 200 # digest: 4a0a004730450220168522beff645c0b82f0faf7ad2359a372694bf17bc6f31378277c1b01647f63022100e5adbdb3bdd6f922a15f8a4296295d521520a5c56503dba4c72aa487c8b63b73:922c64590222798bb761d5b6d8e72950