CVE-2023-20198
published 2023-10-16CVE-2023-20198: Cisco is providing an update for the ongoing investigation into observed exploitation of the web UI feature in Cisco IOS XE Software. We are updating the list…
PriorityP1100critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2023-10-20
Exploited in the wild
EPSS
99.57%
99.9th percentile
Cisco is providing an update for the ongoing investigation into observed exploitation of the web UI feature in Cisco IOS XE Software. We are updating the list of fixed releases and adding the Software Checker. Our investigation has determined that the actors exploited two previously unknown issues. The attacker first exploited CVE-2023-20198 to gain initial access and issued a privilege 15 command to create a local user and password combination. This allowed the user to log in with normal user access. The attacker then exploited another component of the web UI feature, leveraging the new local user to elevate privilege to root and write the implant to the file system. Cisco has assigned CVE-2023-20273 to this issue. CVE-2023-20198 has been assigned a CVSS Score of 10.0. CVE-2023-20273 has been assigned a CVSS Score of 7.2. Both of these CVEs are being tracked by CSCwh87343.
Affected
193 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cisco | cisco_ios_xe_software | — | — |
| cisco | cisco_ios_xe_software | — | — |
| cisco | cisco_ios_xe_software | — | — |
| cisco | cisco_ios_xe_software | — | — |
| cisco | cisco_ios_xe_software | — | — |
| cisco | cisco_ios_xe_software | — | — |
| cisco | cisco_ios_xe_software | — | — |
| cisco | cisco_ios_xe_software | — | — |
| cisco | cisco_ios_xe_software | — | — |
| cisco | cisco_ios_xe_software | — | — |
| cisco | cisco_ios_xe_software | — | — |
| cisco | cisco_ios_xe_software | — | — |
| cisco | cisco_ios_xe_software | — | — |
| cisco | cisco_ios_xe_software | — | — |
| cisco | cisco_ios_xe_software | — | — |
| cisco | cisco_ios_xe_software | — | — |
| cisco | cisco_ios_xe_software | — | — |
| cisco | cisco_ios_xe_software | — | — |
| cisco | cisco_ios_xe_software | — | — |
| cisco | cisco_ios_xe_software | — | — |
| cisco | cisco_ios_xe_software | — | — |
| cisco | cisco_ios_xe_software | — | — |
| cisco | cisco_ios_xe_software | — | — |
| cisco | cisco_ios_xe_software | — | — |
| cisco | cisco_ios_xe_software | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for log clearing commands ('clear logging') and removal of local usernames via 'no username' commands on IOS XE devices, which indicate attacker defense evasion activity post-exploitation. ↗
- →The BadCandy implant is not persistent and is removed on device reboot, but attacker-created level-15 user accounts survive reboots — incident response should audit local user accounts even after rebooting. ↗
- →GreyNoise observed 110 malicious IPs actively exploiting CVE-2023-20198, primarily geolocated to Bulgaria, Brazil, and Singapore — use GreyNoise tag/blocklist for real-time IP blocking. ↗
- ·The BadCandy implant requires the web server to be restarted to become active; in at least one observed case the server was not restarted so the implant never became active despite being installed. ↗
- ·The 18-character and 40-character hexadecimal strings hardcoded in the BadCandy implant are unique per device in most cases, but were observed to be the same across different devices in some instances — do not rely on a single static hash value for detection. ↗
- ·CVE-2021-1435 was initially associated with this activity but was later removed; only CVE-2023-20198 and CVE-2023-20273 are confirmed to be exploited in this attack chain. ↗
- ·The second version of BadCandy checks for an HTTP Authorization header before responding, which caused a sharp decline in visibility of infected systems using prior curl-based detection methods — update detection queries accordingly. ↗
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vulncheck10.0CRITICAL
cisa10.0CRITICAL
vendor_cisco10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Rockwell Automation Stratix 5800 and Stratix 5200 (Update A)
cisa_ics·2023-11-21·CVSS 10.0
[CRITICAL] Rockwell Automation Stratix 5800 and Stratix 5200 (Update A)
ICS Advisory
##
Rockwell Automation Stratix 5800 and Stratix 5200 (Update A)
Last RevisedNovember 21, 2023
Alert CodeICSA-23-297-01
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v3 10.0
- ATTENTION: Exploitable remotely/low attack complexity/known public exploitation
- Vendor: Rockwell Automation
- Equipment: Stratix 5800 and Stratix 5200
- Vulnerabilities: Unprotected Alternate Channel, OS Command Injection
## 2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an unauthenticated attacker to take control of the affected system.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
The following versions of Stratix products and the contained Cisco IOS software are affected:
- Stratix 5800 (running Cisco IOS XE Software with the Web UI fe
CISA
Cisco IOS XE Web UI Command Injection Vulnerability
cisa·2023-10-23·CVSS 7.2
CVE-2023-20273 [HIGH] CWE-78 Cisco IOS XE Web UI Command Injection Vulnerability
Vulnerability: Cisco IOS XE Web UI Command Injection Vulnerability
Affected: Cisco Cisco IOS XE Web UI
Cisco IOS XE contains a command injection vulnerability in the web user interface. When chained with CVE-2023-20198, the attacker can leverage the new local user to elevate privilege to root and write the implant to the file system. Cisco identified CVE-2023-20273 as the vulnerability exploited to deploy the implant. CVE-2021-1435, previously associated with the exploitation events, is no longer believed to be related to this activity.
Required Action: Verify that instances of Cisco IOS XE Web UI are in compliance with BOD 23-02 and apply mitigations per vendor instructions. For affected products (Cisco IOS XE Web UI exposed to the internet or to untrusted networks), follow vendor instr
CISA
Cisco IOS XE Web UI Privilege Escalation Vulnerability
cisa·2023-10-16·CVSS 10.0
CVE-2023-20198 [CRITICAL] CWE-420 Cisco IOS XE Web UI Privilege Escalation Vulnerability
Vulnerability: Cisco IOS XE Web UI Privilege Escalation Vulnerability
Affected: Cisco IOS XE Web UI
Cisco IOS XE Web UI contains a privilege escalation vulnerability in the web user interface that could allow a remote, unauthenticated attacker to create an account with privilege level 15 access. The attacker can then use that account to gain control of the affected device.
Required Action: Verify that instances of Cisco IOS XE Web UI are in compliance with BOD 23-02 and apply mitigations per vendor instructions. For affected products (Cisco IOS XE Web UI exposed to the internet or to untrusted networks), follow vendor instructions to determine if a system may have been compromised and immediately report positive findings to CISA.
Notes: https://www.cisco.com/c/en/us/support/docs/ios-nx-
Cisco
Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature
vendor_cisco·2023-10-16·CVSS 10.0
CVE-2023-20198 [CRITICAL] CWE-420 Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature
Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature
Cisco is providing an update for the ongoing investigation into observed exploitation of the web UI feature in Cisco IOS XE Software. We are updating the list of fixed releases and adding the Software Checker.
Fix information can be found in the Fixed Software section of this advisory.
Our investigation has determined that the actors exploited two previously unknown issues.
The attacker first exploited CVE-2023-20198 to gain initial access and issued a privilege 15 command to create a local user and password combination. This allowed the user to log in with normal user access.
The attacker then exploited another component of the web UI feature, leveraging the new local user to elevate privilege to root and write the implant
Cisco
Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature
vendor_cisco·CVSS 3.1
CVE-2023-20198 Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature
CVE-2023-20198: Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature
Cisco is providing an update for the ongoing investigation into observed exploitation of the web UI feature in Cisco IOS XE Software. We are updating the list of fixed releases and adding the Software Checker. Fix information can be found in the Fixed Software section of this advisory. Our investigation has determined that the actors exploited two previously unknown issues. The attacker first exploited CVE-2023-20198 to gain initial access and issued a privilege 15 command to create a local user and password combination. This allowed the user to log in with normal user access. The attacker then exploited another component of the web UI feature, leveraging the new local user to elevate privilege to root and wri
Cisco
Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature
vendor_cisco·CVSS 3.1
CVE-2023-20273 Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature
CVE-2023-20273: Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature
Cisco is providing an update for the ongoing investigation into observed exploitation of the web UI feature in Cisco IOS XE Software. We are updating the list of fixed releases and adding the Software Checker. Fix information can be found in the Fixed Software section of this advisory. Our investigation has determined that the actors exploited two previously unknown issues. The attacker first exploited CVE-2023-20198 to gain initial access and issued a privilege 15 command to create a local user and password combination. This allowed the user to log in with normal user access. The attacker then exploited another component of the web UI feature, leveraging the new local user to elevate privilege to root and wri
GHSA
GHSA-4xrf-pcxr-rf3c: Cisco is aware of active exploitation of a previously unknown vulnerability in the web UI feature of Cisco IOS XE Software when exposed to the interne
ghsa_unreviewed·2023-10-16
CVE-2023-20198 [CRITICAL] CWE-420 GHSA-4xrf-pcxr-rf3c: Cisco is aware of active exploitation of a previously unknown vulnerability in the web UI feature of Cisco IOS XE Software when exposed to the interne
Cisco is aware of active exploitation of a previously unknown vulnerability in the web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks. This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system.
For steps to close the attack vector for this vulnerability, see the Recommendations section of this advisory
Cisco will provide updates on the status of this investigation and when a software patch is available.
VulnCheck
Cisco IOS XE Web UI Privilege Escalation Vulnerability
vulncheck·2023·CVSS 10.0
CVE-2023-20198 [CRITICAL] CWE-420 Cisco IOS XE Web UI Privilege Escalation Vulnerability
Cisco IOS XE Web UI Privilege Escalation Vulnerability
Cisco IOS XE Web UI contains a privilege escalation vulnerability in the web user interface that could allow a remote, unauthenticated attacker to create an account with privilege level 15 access. The attacker can then use that account to gain control of the affected device.
Affected: Cisco IOS XE Web UI
Required Action: Verify that instances of Cisco IOS XE Web UI are in compliance with BOD 23-02 and apply mitigations per vendor instructions. For affected products (Cisco IOS XE Web UI exposed to the internet or to untrusted networks), follow vendor instructions to determine if a system may have been compromised and immediately report positive findings to CISA.
Known Ransomware Campaign Use: Known
Exploitation References: https://
VulnCheck
Cisco IOS XE Web UI Command Injection Vulnerability
vulncheck·2023·CVSS 7.2
CVE-2023-20273 [HIGH] CWE-78 Cisco IOS XE Web UI Command Injection Vulnerability
Cisco IOS XE Web UI Command Injection Vulnerability
Cisco IOS XE contains a command injection vulnerability in the web user interface. When chained with CVE-2023-20198, the attacker can leverage the new local user to elevate privilege to root and write the implant to the file system. Cisco identified CVE-2023-20273 as the vulnerability exploited to deploy the implant. CVE-2021-1435, previously associated with the exploitation events, is no longer believed to be related to this activity.
Affected: Cisco IOS XE Web UI
Required Action: Verify that instances of Cisco IOS XE Web UI are in compliance with BOD 23-02 and apply mitigations per vendor instructions. For affected products (Cisco IOS XE Web UI exposed to the internet or to untrusted networks), follow vendor instructions to determine
Suricata
ET EXPLOIT Cisco IOS XE Web Server Implant Check (CVE-2023-20198) M3
suricata·2023-11-07·CVSS 10.0
CVE-2023-20198 [CRITICAL] ET EXPLOIT Cisco IOS XE Web Server Implant Check (CVE-2023-20198) M3
ET EXPLOIT Cisco IOS XE Web Server Implant Check (CVE-2023-20198) M3
Rule: alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco IOS XE Web Server Implant Check (CVE-2023-20198) M3"; flow:established,to_server; urilen:32; http.method; content:"POST"; http.uri; content:"|2f|webui|2f|logoutconfirm|2e|html|3f|menu|3d|1"; fast_pattern; threshold:type limit,seconds 300,count 1,track by_src; reference:url,blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/; reference:cve,2023-20198; classtype:trojan-activity; sid:2049103; rev:1; metadata:attack_target Networking_Equipment, created_at 2023_11_07, cve CVE_2023_20198, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By
Suricata
ET INFO Cisco IOS XE Web Server Config Change in SOAP (CVE-2023-20198) (Outbound)
suricata·2023-10-30·CVSS 10.0
CVE-2023-20198 [CRITICAL] ET INFO Cisco IOS XE Web Server Config Change in SOAP (CVE-2023-20198) (Outbound)
ET INFO Cisco IOS XE Web Server Config Change in SOAP (CVE-2023-20198) (Outbound)
Rule: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Cisco IOS XE Web Server Config Change in SOAP (CVE-2023-20198) (Outbound)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|3c 2f|wsse|3a|Username|3e 20 3c|wsse|3a|Password|3e|"; content:"|3c|config|2d|data|3e 20 3c|cli|2d|config|2d|data|2d|block|3e|"; fast_pattern; content:"|3c 2f|configApply|3e|"; threshold:type limit,seconds 300,count 1,track by_src; reference:url,blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/; reference:url,twitter.com/SI_FalconTeam/status/1718346358950711807; reference:cve,2023-20198; classtype:misc-activity; sid:2048944; rev:1; metadata:attack_target Network
Suricata
ET INFO Cisco IOS XE Web Server Auth From Suspicious Username (cisco_support) (CVE-2023-20198) (Outbound)
suricata·2023-10-30·CVSS 10.0
CVE-2023-20198 [CRITICAL] ET INFO Cisco IOS XE Web Server Auth From Suspicious Username (cisco_support) (CVE-2023-20198) (Outbound)
ET INFO Cisco IOS XE Web Server Auth From Suspicious Username (cisco_support) (CVE-2023-20198) (Outbound)
Rule: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Cisco IOS XE Web Server Auth From Suspicious Username (cisco_support) (CVE-2023-20198) (Outbound)"; flow:established,to_server; http.method; content:"GET"; http.cookie; content:"Auth=cisco_support"; startswith; fast_pattern; reference:url,blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/; reference:cve,2023-20198; reference:url,twitter.com/SI_FalconTeam/status/1718346358950711807; classtype:misc-activity; sid:2048935; rev:2; metadata:attack_target Networking_Equipment, created_at 2023_10_30, cve CVE_2023_20198, deployment Perimeter, deployment SSLDecrypt, confidence Medium, signature_severity Info
Suricata
ET INFO Cisco IOS XE Web Server execCLI in SOAP (CVE-2023-20198) (Inbound)
suricata·2023-10-30·CVSS 10.0
CVE-2023-20198 [CRITICAL] ET INFO Cisco IOS XE Web Server execCLI in SOAP (CVE-2023-20198) (Inbound)
ET INFO Cisco IOS XE Web Server execCLI in SOAP (CVE-2023-20198) (Inbound)
Rule: alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET INFO Cisco IOS XE Web Server execCLI in SOAP (CVE-2023-20198) (Inbound)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|3c 2f|wsse|3a|Username|3e 20 3c|wsse|3a|Password|3e|"; content:"|3c 2f|cmd|3e 20 3c 2f|execCLI|3e|"; fast_pattern; threshold:type limit,seconds 300,count 1,track by_src; reference:url,blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/; reference:cve,2023-20198; classtype:misc-activity; sid:2048943; rev:1; metadata:attack_target Networking_Equipment, created_at 2023_10_30, cve CVE_2023_20198_CVE_2023_20198, deployment Perimeter, deployment SSLDecrypt, confidence
Suricata
ET HUNTING Suspicious Cisco Privilege Level 15 in HTTP Header (Inbound)
suricata·2023-10-30
CVE-2023-20198 ET HUNTING Suspicious Cisco Privilege Level 15 in HTTP Header (Inbound)
ET HUNTING Suspicious Cisco Privilege Level 15 in HTTP Header (Inbound)
Rule: alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Suspicious Cisco Privilege Level 15 in HTTP Header (Inbound)"; flow:established,to_server; http.request_header; header_lowercase; bsize:14; content:"priv-level|3a 20|15"; fast_pattern; startswith; threshold:type limit,seconds 300,count 1,track by_src; reference:url,blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/; reference:url,twitter.com/SI_FalconTeam/status/1718346358950711807; reference:cve,2023-20198; classtype:misc-activity; sid:2048936; rev:2; metadata:attack_target Networking_Equipment, created_at 2023_10_30, cve CVE_2023_20198, deployment Perimeter, deployment SSLDecrypt, confidence Medium, signature_s
Suricata
ET INFO Cisco IOS XE Web Server execCLI in SOAP (CVE-2023-20198) (Outbound)
suricata·2023-10-30·CVSS 10.0
CVE-2023-20198 [CRITICAL] ET INFO Cisco IOS XE Web Server execCLI in SOAP (CVE-2023-20198) (Outbound)
ET INFO Cisco IOS XE Web Server execCLI in SOAP (CVE-2023-20198) (Outbound)
Rule: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Cisco IOS XE Web Server execCLI in SOAP (CVE-2023-20198) (Outbound)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|3c 2f|wsse|3a|Username|3e 20 3c|wsse|3a|Password|3e|"; content:"|3c 2f|cmd|3e 20 3c 2f|execCLI|3e|"; fast_pattern; threshold:type limit,seconds 300,count 1,track by_src; reference:url,blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/; reference:cve,2023-20198; classtype:misc-activity; sid:2048942; rev:1; metadata:attack_target Networking_Equipment, created_at 2023_10_30, cve CVE_2023_20198, deployment Perimeter, deployment SSLDecrypt, confidence Medium, signature_severity I
Suricata
ET INFO Cisco IOS XE Web Server Config Change in SOAP (CVE-2023-20198) (Inbound)
suricata·2023-10-30·CVSS 10.0
CVE-2023-20198 [CRITICAL] ET INFO Cisco IOS XE Web Server Config Change in SOAP (CVE-2023-20198) (Inbound)
ET INFO Cisco IOS XE Web Server Config Change in SOAP (CVE-2023-20198) (Inbound)
Rule: alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET INFO Cisco IOS XE Web Server Config Change in SOAP (CVE-2023-20198) (Inbound)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|3c 2f|wsse|3a|Username|3e 20 3c|wsse|3a|Password|3e|"; content:"|3c|config|2d|data|3e 20 3c|cli|2d|config|2d|data|2d|block|3e|"; fast_pattern; content:"|3c 2f|configApply|3e|"; threshold:type limit,seconds 300,count 1,track by_src; reference:url,blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/; reference:url,twitter.com/SI_FalconTeam/status/1718346358950711807; reference:cve,2023-20198; classtype:misc-activity; sid:2048945; rev:1; metadata:attack_
Suricata
ET EXPLOIT Cisco IOS XE Web Server Possible Authentication Bypass Attempt (CVE-2023-20198) (Outbound)
suricata·2023-10-30·CVSS 10.0
CVE-2023-20198 [CRITICAL] ET EXPLOIT Cisco IOS XE Web Server Possible Authentication Bypass Attempt (CVE-2023-20198) (Outbound)
ET EXPLOIT Cisco IOS XE Web Server Possible Authentication Bypass Attempt (CVE-2023-20198) (Outbound)
Rule: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Cisco IOS XE Web Server Possible Authentication Bypass Attempt (CVE-2023-20198) (Outbound)"; flow:established,to_server; http.method; content:"POST"; http.uri.raw; content:"|25|25"; http.request_body; content:"|3c|SOAP|3a|Body|3e|"; nocase; content:"|3c|request correlator|3d 22|"; nocase; distance:0; fast_pattern; threshold:type limit,seconds 300,count 1,track by_src; reference:url,blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/; reference:cve,2023-20198; classtype:attempted-admin; sid:2048940; rev:4; metadata:created_at 2023_10_30, deployment Perimeter, deployment Internal, deployment SSLDecrypt
Suricata
ET EXPLOIT Cisco IOS XE Web Server Possible Authentication Bypass Attempt (CVE-2023-20198) (Inbound)
suricata·2023-10-30·CVSS 10.0
CVE-2023-20198 [CRITICAL] ET EXPLOIT Cisco IOS XE Web Server Possible Authentication Bypass Attempt (CVE-2023-20198) (Inbound)
ET EXPLOIT Cisco IOS XE Web Server Possible Authentication Bypass Attempt (CVE-2023-20198) (Inbound)
Rule: alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco IOS XE Web Server Possible Authentication Bypass Attempt (CVE-2023-20198) (Inbound)"; flow:established,to_server; http.method; content:"POST"; http.uri.raw; content:"|25|25"; http.request_body; content:"|3c|SOAP|3a|Body|3e|"; nocase; content:"|3c|request correlator|3d 22|"; nocase; distance:0; fast_pattern; threshold:type limit,seconds 300,count 1,track by_src; reference:url,blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/; reference:cve,2023-20198; classtype:attempted-admin; sid:2048941; rev:3; metadata:created_at 2023_10_30, cve CVE_2023_20198, deployment Perimeter, deployme
Suricata
ET HUNTING Suspicious Cisco Privilege Level 15 in HTTP Header (Outbound)
suricata·2023-10-30
CVE-2023-20198 ET HUNTING Suspicious Cisco Privilege Level 15 in HTTP Header (Outbound)
ET HUNTING Suspicious Cisco Privilege Level 15 in HTTP Header (Outbound)
Rule: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Cisco Privilege Level 15 in HTTP Header (Outbound)"; flow:established,to_server; http.request_header; header_lowercase; bsize:14; content:"priv-level|3a 20|15"; fast_pattern; threshold:type limit,seconds 300,count 1,track by_src; reference:url,blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/; reference:url,twitter.com/SI_FalconTeam/status/1718346358950711807; reference:cve,2023-20198; classtype:misc-activity; sid:2048937; rev:2; metadata:attack_target Client_Endpoint, created_at 2023_10_30, cve CVE_2023_20198, deployment Perimeter, deployment SSLDecrypt, confidence Medium, signature_severity Informational, tag Desc
Suricata
ET HUNTING Cisco IOS XE Web Server Auth From Suspicious Username (cisco_tac_admin) (CVE-2023-20198) (Inbound)
suricata·2023-10-30·CVSS 10.0
CVE-2023-20198 [CRITICAL] ET HUNTING Cisco IOS XE Web Server Auth From Suspicious Username (cisco_tac_admin) (CVE-2023-20198) (Inbound)
ET HUNTING Cisco IOS XE Web Server Auth From Suspicious Username (cisco_tac_admin) (CVE-2023-20198) (Inbound)
Rule: alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Cisco IOS XE Web Server Auth From Suspicious Username (cisco_tac_admin) (CVE-2023-20198) (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.cookie; content:"Auth=cisco_tac_admin"; startswith; fast_pattern; reference:url,blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/; reference:cve,2023-20198; classtype:misc-activity; sid:2048938; rev:1; metadata:attack_target Client_Endpoint, created_at 2023_10_30, cve CVE_2023_20198, deployment Perimeter, deployment SSLDecrypt, confidence Medium, signature_severity Informational, tag CISA_KEV, tag Description_Genera
Suricata
ET INFO Cisco IOS XE Web Server Auth From Suspicious Username (cisco_support) (CVE-2023-20198) (Inbound)
suricata·2023-10-30·CVSS 10.0
CVE-2023-20198 [CRITICAL] ET INFO Cisco IOS XE Web Server Auth From Suspicious Username (cisco_support) (CVE-2023-20198) (Inbound)
ET INFO Cisco IOS XE Web Server Auth From Suspicious Username (cisco_support) (CVE-2023-20198) (Inbound)
Rule: alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET INFO Cisco IOS XE Web Server Auth From Suspicious Username (cisco_support) (CVE-2023-20198) (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.cookie; content:"Auth=cisco_support"; startswith; fast_pattern; reference:url,blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/; reference:cve,2023-20198; reference:url,twitter.com/SI_FalconTeam/status/1718346358950711807; classtype:misc-activity; sid:2048934; rev:1; metadata:attack_target Networking_Equipment, created_at 2023_10_30, cve CVE_2023_20198, deployment Perimeter, deployment SSLDecrypt, confidence Medium, signature
Suricata
ET HUNTING Cisco IOS XE Web Server Auth From Suspicious Username (cisco_tac_admin) (CVE-2023-20198) (Outbound)
suricata·2023-10-30·CVSS 10.0
CVE-2023-20198 [CRITICAL] ET HUNTING Cisco IOS XE Web Server Auth From Suspicious Username (cisco_tac_admin) (CVE-2023-20198) (Outbound)
ET HUNTING Cisco IOS XE Web Server Auth From Suspicious Username (cisco_tac_admin) (CVE-2023-20198) (Outbound)
Rule: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Cisco IOS XE Web Server Auth From Suspicious Username (cisco_tac_admin) (CVE-2023-20198) (Outbound)"; flow:established,to_server; http.method; content:"GET"; http.cookie; content:"Auth=cisco_tac_admin"; startswith; fast_pattern; reference:url,blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/; reference:cve,2023-20198; classtype:misc-activity; sid:2048939; rev:1; metadata:attack_target Client_Endpoint, created_at 2023_10_30, cve CVE_2023_20198, deployment Perimeter, deployment SSLDecrypt, confidence Medium, signature_severity Informational, tag CISA_KEV, tag Description_Generated_By_Proofpo
Suricata
ET EXPLOIT Cisco IOS XE Web Server Implant Check (CVE-2023-20198) (Inbound) M1
suricata·2023-10-17·CVSS 10.0
CVE-2023-20198 [CRITICAL] ET EXPLOIT Cisco IOS XE Web Server Implant Check (CVE-2023-20198) (Inbound) M1
ET EXPLOIT Cisco IOS XE Web Server Implant Check (CVE-2023-20198) (Inbound) M1
Rule: alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco IOS XE Web Server Implant Check (CVE-2023-20198) (Inbound) M1"; flow:established,to_server; urilen:38; http.method; content:"POST"; http.uri; content:"/webui/logoutconfirm.html?logon_hash=1"; fast_pattern; threshold:type limit,seconds 300,count 1,track by_src; reference:url,blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/; reference:cve,2023-20198; classtype:trojan-activity; sid:2048584; rev:2; metadata:affected_product iOS, attack_target Web_Server, created_at 2023_10_17, cve CVE_2023_20198, deployment Perimeter, deployment Internet, deployment SSLDecrypt, confidence High, signature_severity Major
Suricata
ET EXPLOIT Cisco IOS XE Web Server Implant Check (CVE-2023-20198) (Outbound) M1
suricata·2023-10-17·CVSS 10.0
CVE-2023-20198 [CRITICAL] ET EXPLOIT Cisco IOS XE Web Server Implant Check (CVE-2023-20198) (Outbound) M1
ET EXPLOIT Cisco IOS XE Web Server Implant Check (CVE-2023-20198) (Outbound) M1
Rule: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Cisco IOS XE Web Server Implant Check (CVE-2023-20198) (Outbound) M1"; flow:established,to_server; urilen:38; http.method; content:"POST"; http.uri; content:"/webui/logoutconfirm.html?logon_hash=1"; fast_pattern; threshold:type limit,seconds 300,count 1,track by_src; reference:url,blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/; reference:cve,2023-20198; classtype:trojan-activity; sid:2048583; rev:2; metadata:affected_product iOS, attack_target Web_Server, created_at 2023_10_17, cve CVE_2023_20198, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Gen
Metasploit
Cisco IOX XE unauthenticated Command Line Interface (CLI) execution
metasploit·CVSS 10.0
CVE-2023-20198 [CRITICAL] Cisco IOX XE unauthenticated Command Line Interface (CLI) execution
Cisco IOX XE unauthenticated Command Line Interface (CLI) execution
This module leverages CVE-2023-20198 against vulnerable instances of Cisco IOS XE devices which have the Web UI exposed. An attacker can execute arbitrary CLI commands with privilege level 15. You must specify the IOS command mode to execute a CLI command in. Valid modes are `user`, `privileged`, and `global`. To run a command in "Privileged" mode, set the `CMD` option to the command you want to run, e.g. `show version` and set the `MODE` to `privileged`. To run a command in "Global Configuration" mode, set the `CMD` option to the command you want to run, e.g. `username hax0r privilege 15 password hax0r` and set the `MODE` to `global`. The vulnerable IOS XE versions are: 16.1.1, 16.1.2, 16.1.3, 16.2.1, 16.2.2, 16.3.1, 16.
Metasploit
Cisco IOX XE unauthenticated OS command execution
metasploit·CVSS 10.0
CVE-2023-20198 [CRITICAL] Cisco IOX XE unauthenticated OS command execution
Cisco IOX XE unauthenticated OS command execution
This module leverages both CVE-2023-20198 and CVE-2023-20273 against vulnerable instances of Cisco IOS XE devices which have the Web UI exposed. An attacker can execute arbitrary OS commands with root privileges. This module leverages CVE-2023-20198 to create a new admin user, then authenticating as this user, CVE-2023-20273 is leveraged for OS command injection. The output of the command is written to a file and read back via the webserver. Finally the output file is deleted and the admin user is removed. The vulnerable IOS XE versions are: 16.1.1, 16.1.2, 16.1.3, 16.2.1, 16.2.2, 16.3.1, 16.3.2, 16.3.3, 16.3.1a, 16.3.4, 16.3.5, 16.3.5b, 16.3.6, 16.3.7, 16.3.8, 16.3.9, 16.3.10, 16.3.11, 16.4.1, 16.4.2, 16.4.3, 16.5.1, 16.5.1a, 16.5.1b, 16.
Nuclei
Cisco IOS XE - Impant Detection
nuclei
Cisco IOS XE - Impant Detection
Cisco IOS XE - Impant Detection
Cisco is aware of active exploitation of a previously unknown vulnerability in the web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks. This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system.
Template:
id: cisco-implant-detect
info:
name: Cisco IOS XE - Impant Detection
author: DhiyaneshDK,rxerium
severity: critical
description: |
Cisco is aware of active exploitation of a previously unknown vulnerability in the web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks. This vulnerability allows a remote, unauthenticated
Nuclei
Cisco IOS XE Web UI - Command Injection
nuclei·CVSS 10.0
CVE-2023-20198 [CRITICAL] Cisco IOS XE Web UI - Command Injection
Cisco IOS XE Web UI - Command Injection
A vulnerability in the web UI component of Cisco IOS XE Software could allow an unauthenticated, remote attacker to execute arbitrary commands with root privileges on the underlying operating system. This vulnerability is due to improper input validation in the web UI. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to execute arbitrary commands with root privileges on the underlying operating system.
Template:
id: CVE-2023-20198
info:
name: Cisco IOS XE Web UI - Command Injection
author: iamnoooob,rootxharsh,pdresearch,nullenc0de
severity: critical
description: |
A vulnerability in the web UI component of Cisco IOS XE Software could allow an unauth
Metasploit
Cisco IOX XE Unauthenticated RCE Chain
metasploit·CVSS 10.0
CVE-2023-20198 [CRITICAL] Cisco IOX XE Unauthenticated RCE Chain
Cisco IOX XE Unauthenticated RCE Chain
This module leverages both CVE-2023-20198 and CVE-2023-20273 against vulnerable instances of Cisco IOS XE devices which have the Web UI exposed. An attacker can execute a payload with root privileges. The vulnerable IOS XE versions are: 16.1.1, 16.1.2, 16.1.3, 16.2.1, 16.2.2, 16.3.1, 16.3.2, 16.3.3, 16.3.1a, 16.3.4, 16.3.5, 16.3.5b, 16.3.6, 16.3.7, 16.3.8, 16.3.9, 16.3.10, 16.3.11, 16.4.1, 16.4.2, 16.4.3, 16.5.1, 16.5.1a, 16.5.1b, 16.5.2, 16.5.3, 16.6.1, 16.6.2, 16.6.3, 16.6.4, 16.6.5, 16.6.4s, 16.6.4a, 16.6.5a, 16.6.6, 16.6.5b, 16.6.7, 16.6.7a, 16.6.8, 16.6.9, 16.6.10, 16.7.1, 16.7.1a, 16.7.1b, 16.7.2, 16.7.3, 16.7.4, 16.8.1, 16.8.1a, 16.8.1b, 16.8.1s, 16.8.1c, 16.8.1d, 16.8.2, 16.8.1e, 16.8.3, 16.9.1, 16.9.2, 16.9.1a, 16.9.1b, 16.9.1s, 16.9.1c, 16.
Hackernews
New SharkLoader Malware Deploys Cobalt Strike in StrikeShark Cyberattacks
blogs_hackernews·2026-06-26·CVSS 9.8
CVE-2021-26855 [CRITICAL] New SharkLoader Malware Deploys Cobalt Strike in StrikeShark Cyberattacks
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## New SharkLoader Malware Deploys Cobalt Strike in StrikeShark Cyberattacks
A newly discovered cyber attack campaign has been observed delivering a previously undocumented malware family called SharkLoader that acts as a loader for deploying Cobalt Strike Beacon on compromised hosts.
Kaspersky, which is tracking the activity under the moniker StrikeShark , said the campaign has targeted a diplomatic organization in Indonesia, government organizations in Taiwan, software development companies across multiple countries, and entities associated with other sectors located in Hong Kong, Lebanon, Syria, Colombia, North Macedonia, Ne
Securelist
StrikeShark: investigating a new campaign delivering Cobalt Strike through SharkLoader
blogs_securelist·2026-06-24
CVE-2021-26855 StrikeShark: investigating a new campaign delivering Cobalt Strike through SharkLoader
Fareed Radzi
Table of Contents
Introduction
Initial infection
Exploitation of public-facing applications
Dropper-based distribution
SharkLoader installation
SharkLoader DLL – Main implant
“PerfectDLL Hijacking” technique
Decryption and loading of >DscCoreR.mui
DscCoreR.mui and SyncRes.dat DLLs
Decryption and loading of SyncRes.dat
SyncRes.dat decrypted DLL: Multiple API hooks
VEH registration and access violation handling
Thread creation for Cobalt Strike Beacon execution
MinHook DLL, API hooking, and Cobalt Strike beacon
Persistence mechanism
Post-compromise activity
Victimology
Attribution
Conclusion
Indicators of compromise
Authors
Fareed Radzi
## Introduction
During our research of activity affecting a diplomatic organization in Indonesia, we uncovered a previo
Tenable
Inside the customer environment: Where threat actors, vulnerabilities, and exposed assets intersect
blogs_tenable·2026-05-27
CVE-2023-4966 Inside the customer environment: Where threat actors, vulnerabilities, and exposed assets intersect
## Exposure Management
## Explore By Use Case
## Explore By Industry
## Tenable is the one clear leader in Exposure Management
## Exposure management
resource center
## Accelerate your exposure management strategy with practical resources and tools.
## Explore By Use Case
## Explore By Industry
## Tenable is the one clear leader in Exposure Management
## Exposure management
resource center
## Accelerate your exposure management strategy with practical resources and tools.
## Inside the customer environment: Where threat actors, vulnerabilities, and exposed assets intersect
Tenable Research has developed a graph-based model linking 600+ threat groups to real-world customer exposures. It reveals which vulnerabilities sit at the intersection of severity, active exploit
Talos
IR Trends Q1 2026: Phishing reemerges as top initial access vector, as attacks targeting public administration persist
blogs_talos·2026-04-22
CVE-2025-20393 IR Trends Q1 2026: Phishing reemerges as top initial access vector, as attacks targeting public administration persist
## IR Trends Q1 2026: Phishing reemerges as top initial access vector, as attacks targeting public administration persist
Phishing reemerged as the most observed means of gaining initial access, accounting for over a third of the engagements where initial access could be determined. Phishing has not been the top vector for initial access since Q2 2025.
Public administration and health care tied as the most targeted industry verticals, each accounting for 24 percent of all engagements. This is the third consecutive quarter where public administration has been the most targeted industry vertical.
Pre-ransomware incidents made up just 18 percent of engagements this quarter, and we did not observe any ransomware deployment due to early and swift mitigation from Cisco Talos Incident Response
Bleepingcomputer
Australia warns of BadCandy infections on unpatched Cisco devices
blogs_bleepingcomputer·2025-10-31·CVSS 10.0
CVE-2023-20198 [CRITICAL] Australia warns of BadCandy infections on unpatched Cisco devices
## Australia warns of BadCandy infections on unpatched Cisco devices
## Bill Toulas
The Australian government is warning about ongoing cyberattacks against unpatched Cisco IOS XE devices in the country to infect routers with the BadCandy webshell.
The vulnerability exploited in these attacks is CVE-2023-20198, a max-severity flaw that allows remote unauthenticated threat actors to create a local admin user via the web user interface and take over the devices.
Cisco fixed the flaw in October 2023, which was then marked as an actively exploited issue. A public exploit became available two weeks later, fueling mass exploitation for backdoor planting on internet-exposed devices.
The Australian authorities have warned that variants of the same Lua-based BadCandy web shells are still used i
Tenable
Cybersecurity Snapshot: Expert Advice for Securing Critical Infrastructure’s OT and Industrial Control Systems, IoT Devices and Network Infrastructure
blogs_tenable·2025-09-05
Cybersecurity Snapshot: Expert Advice for Securing Critical Infrastructure’s OT and Industrial Control Systems, IoT Devices and Network Infrastructure
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Chinese State-Sponsored Actors Compromising Global Networks
blogs_tenable·2025-08-29
Chinese State-Sponsored Actors Compromising Global Networks
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Cybersecurity Snapshot: Agentic AI Security in Focus With Anthropic’s Chilling Abuse Disclosure and CSA’s New Identity Protection Framework
blogs_tenable·2025-08-29
Cybersecurity Snapshot: Agentic AI Security in Focus With Anthropic’s Chilling Abuse Disclosure and CSA’s New Identity Protection Framework
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
Global Salt Typhoon hacking campaigns linked to Chinese tech firms
blogs_bleepingcomputer·2025-08-27·CVSS 9.8
[CRITICAL] Global Salt Typhoon hacking campaigns linked to Chinese tech firms
## Global Salt Typhoon hacking campaigns linked to Chinese tech firms
## Lawrence Abrams
The U.S. National Security Agency (NSA), the UK's National Cyber Security Centre (NCSC), and partners from over a dozen countries have linked the Salt Typhoon global hacking campaigns to three China-based technology firms.
According to the joint advisories [ NSA , NCSC ], Sichuan Juxinhe Network Technology Co. Ltd., Beijing Huanyu Tianqiong Information Technology Co., and Sichuan Zhixin Ruijie Network Technology Co. Ltd. have provided cyber products and services to China's Ministry of State Security and the People's Liberation Army, enabling cyber espionage operations tracked as Salt Typhoon.
Since at least 2021, the Chinese threat actors have breached government, telecommunications, transportation
Bleepingcomputer
Chinese hackers breached National Guard to steal network configurations
blogs_bleepingcomputer·2025-07-17
Chinese hackers breached National Guard to steal network configurations
## Chinese hackers breached National Guard to steal network configurations
## Lawrence Abrams
The Chinese state-sponsored hacking group known as Salt Typhoon breached and remained undetected in a U.S. Army National Guard network for nine months in 2024, stealing network configuration files and administrator credentials that could be used to compromise other government networks.
Salt Typhoon is a Chinese state-sponsored hacking group that is believed to be affiliated with China's Ministry of State Security (MSS) intelligence agency. The hacking group has gained notoriety over the past two years for its wave of attacks on telecommunications and broadband providers worldwide, including AT&T, Verizon, Lumen , Charter, Windstream , and Viasat .
The goal of some of these attacks was to gain
Bleepingcomputer
Canada says Salt Typhoon hacked telecom firm via Cisco flaw
blogs_bleepingcomputer·2025-06-23·CVSS 10.0
CVE-2023-20198 [CRITICAL] Canada says Salt Typhoon hacked telecom firm via Cisco flaw
## Canada says Salt Typhoon hacked telecom firm via Cisco flaw
## Bill Toulas
The Canadian Centre for Cyber Security and the FBI confirm that the Chinese state-sponsored 'Salt Typhoon' hacking group is also targeting Canadian telecommunication firms, breaching a telecom provider in February.
During the February 2025 incident, Salt Typhoon exploited the CVE-2023-20198 flaw, a critical Cisco IOS XE vulnerability allowing remote, unauthenticated attackers to create arbitrary accounts and gain admin-level privileges.
The flaw was first disclosed in October 2023, when it was reported that threat actors had exploited it as a zero-day to hack over 10,000 devices .
Despite a significant period having passed, at least one major telecommunications provider in Canada still hadn't patched, giving
Tenable
Cybersecurity Snapshot: U.K. NCSC’s Best Cyber Advice on AI Security, the Quantum Threat, API Risks, Mobile Malware and More
blogs_tenable·2025-05-09
Cybersecurity Snapshot: U.K. NCSC’s Best Cyber Advice on AI Security, the Quantum Threat, API Risks, Mobile Malware and More
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Greynoiseio
GreyNoise Detects Active Exploitation of CVEs Mentioned in Black Basta’s Leaked Chat Logs
blogs_greynoiseio·2025-02-26·CVSS 9.8
[CRITICAL] GreyNoise Detects Active Exploitation of CVEs Mentioned in Black Basta’s Leaked Chat Logs
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Qualys
Defense Lessons From the Black Basta Ransomware Playbook
blogs_qualys·2025-02-25
Defense Lessons From the Black Basta Ransomware Playbook
## Table of Contents
Know Your Enemys Playbook
Attackers Move Fast
How Qualys Can Help
The cybersecurity world was rocked last week by a massive leak of Black Basta’s internal communications that emerged from the group’s chat logs. Triggered by internal conflicts and a retaliatory data dump following attacks on Russian banks, the exposed records offer a rare glimpse into Black Basta’s tactics, operations, and leadership.
We’ve analyzed these newly unveiled tactics, and in this blog, we equip security teams with clear, actionable insights. We aim to highlight the key lessons learned—like immediate patching, tighter access controls, and rapid incident response—and provide an urgent call to action. This practical guide aims to help organizations strengthen their defenses against evolving
Qualys
Defense Lessons From the Black Basta Ransomware Playbook | Qualys
blogs_qualys·2025-02-25
Defense Lessons From the Black Basta Ransomware Playbook | Qualys
#### Table of Contents
- Know Your Enemys Playbook
- Attackers Move Fast
- How Qualys Can Help
The cybersecurity world was rocked last week by a massive leak of Black Basta’s internal communications that emerged from the group’s chat logs. Triggered by internal conflicts and a retaliatory data dump following attacks on Russian banks, the exposed records offer a rare glimpse into Black Basta’s tactics, operations, and leadership.
We’ve analyzed these newly unveiled tactics, and in this blog, we equip security teams with clear, actionable insights. We aim to highlight the key lessons learned—like immediate patching, tighter access controls, and rapid incident response—and provide an urgent call to action. This practical guide aims to help organizations strengthen their defenses against ev
Greynoiseio
GreyNoise Observes Active Exploitation of Cisco Vulnerabilities Tied to Salt Typhoon Attacks
blogs_greynoiseio·2025-02-24·CVSS 9.8
[CRITICAL] GreyNoise Observes Active Exploitation of Cisco Vulnerabilities Tied to Salt Typhoon Attacks
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Talos
Weathering the storm: In the midst of a Typhoon
blogs_talos·2025-02-20·CVSS 9.8
[CRITICAL] Weathering the storm: In the midst of a Typhoon
## Weathering the storm: In the midst of a Typhoon
## Summary
Cisco Talos has been closely monitoring reports of widespread intrusion activity against several major U.S. telecommunications companies. The activity, initially reported in late 2024 and later confirmed by the U.S. government, is being carried out by a highly sophisticated threat actor dubbed Salt Typhoon. This blog highlights our observations on this campaign and identifies recommendations for detection and prevention of the actor’s activities.
Public reporting has indicated that the threat actor was able to gain access to core networking infrastructure in several instances and then use that infrastructure to collect a variety of information. There was only one case in which we found evidence suggesting that a Cisco vulnera
Talos
Weathering the storm: In the midst of a Typhoon
blogs_talos·2025-02-20·CVSS 9.8
[CRITICAL] Weathering the storm: In the midst of a Typhoon
## Summary
Cisco Talos has been closely monitoring reports of widespread intrusion activity against several major U.S. telecommunications companies. The activity, initially reported in late 2024 and later confirmed by the U.S. government, is being carried out by a highly sophisticated threat actor dubbed Salt Typhoon. This blog highlights our observations on this campaign and identifies recommendations for detection and prevention of the actor’s activities.
Public reporting has indicated that the threat actor was able to gain access to core networking infrastructure in several instances and then use that infrastructure to collect a variety of information. There was only one case in which we found evidence suggesting that a Cisco vulnerability (CVE-2018-0171) was likely abused. In all the
Bleepingcomputer
Chinese hackers breach more US telecoms via unpatched Cisco routers
blogs_bleepingcomputer·2025-02-14·CVSS 10.0
CVE-2023-20198 [CRITICAL] Chinese hackers breach more US telecoms via unpatched Cisco routers
## Chinese hackers breach more US telecoms via unpatched Cisco routers
## Sergiu Gatlan
China's Salt Typhoon hackers are still actively targeting telecoms worldwide and have breached more U.S. telecommunications providers via unpatched Cisco IOS XE network devices.
Recorded Future's Insikt Group threat research division states that the Chinese hacking group (tracked Salt Typhoon and RedMike) has exploited the CVE-2023-20198 privilege escalation and CVE-2023-20273 Web UI command injection vulnerabilities.
These ongoing attacks have already resulted in network breaches at multiple telecommunications providers, including a U.S. internet service provider (ISP), a U.S.-based affiliate of a U.K. telecommunications provider, a South African telecom provider, an Italian ISP, and a large Thaila
Tenable
Cybersecurity Snapshot: Cyber Agencies Offer Best Practices for Network Edge Security, While OWASP Ranks Top Risks of Non-Human Identities
blogs_tenable·2025-02-07
Cybersecurity Snapshot: Cyber Agencies Offer Best Practices for Network Edge Security, While OWASP Ranks Top Risks of Non-Human Identities
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Cybersecurity Snapshot: Five Eyes Rank 2023’s Most Frequently Exploited CVEs, While CSA Publishes Framework for AI System Audits
blogs_tenable·2024-11-15
Cybersecurity Snapshot: Five Eyes Rank 2023’s Most Frequently Exploited CVEs, While CSA Publishes Framework for AI System Audits
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
FBI, CISA, and NSA reveal most exploited vulnerabilities of 2023
blogs_bleepingcomputer·2024-11-12·CVSS 10.0
[CRITICAL] FBI, CISA, and NSA reveal most exploited vulnerabilities of 2023
## FBI, CISA, and NSA reveal most exploited vulnerabilities of 2023
## Sergiu Gatlan
The FBI, the NSA, and Five Eyes cybersecurity authorities have released a list of the top 15 routinely exploited vulnerabilities throughout last year, most of them first abused as zero-days.
A joint advisory published on Tuesday calls for organizations worldwide to immediately patch these security flaws and deploy patch management systems to minimize their networks' exposure to potential attacks.
"In 2023, malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks compared to 2022, allowing them to conduct cyber operations against higher-priority targets," the cybersecurity agencies warned .
"In 2023, the majority of the most frequently exploited vulnerabilities
Greynoiseio
U.S. and UK Warn of Russian Cyber Threats: 9 of 12 GreyNoise-Tracked Vulnerabilities in the Advisory Are Being Probed Right Now
blogs_greynoiseio·2024-10-17
U.S. and UK Warn of Russian Cyber Threats: 9 of 12 GreyNoise-Tracked Vulnerabilities in the Advisory Are Being Probed Right Now
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Bleepingcomputer
Cisco says critical Unity Connection bug lets attackers get root
blogs_bleepingcomputer·2024-01-10·CVSS 7.3
CVE-2024-20272 [HIGH] Cisco says critical Unity Connection bug lets attackers get root
## Cisco says critical Unity Connection bug lets attackers get root
## Sergiu Gatlan
Cisco has patched a critical Unity Connection security flaw that can let unauthenticated attackers remotely gain root privileges on unpatched devices.
Unity Connection is a fully virtualized messaging and voicemail solution for email inboxes, web browsers, Cisco Jabber, Cisco Unified IP Phone, smartphones, or tablets with high availability and redundancy support.
The vulnerability (CVE-2024-20272) was found in the software's web-based management interface, and it allows attackers to execute commands on the underlying operating system by uploading arbitrary files to targeted and vulnerable systems.
"This vulnerability is due to a lack of authentication in a specific API and improper validation of user-
Tenable
Cybersecurity Snapshot: U.S., U.K. Governments Offer Advice on How To Build Secure AI Systems
blogs_tenable·2023-12-01
Cybersecurity Snapshot: U.S., U.K. Governments Offer Advice on How To Build Secure AI Systems
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
Exploit released for critical Cisco IOS XE flaw, many hosts still hacked
blogs_bleepingcomputer·2023-10-30·CVSS 10.0
CVE-2023-20198 [CRITICAL] Exploit released for critical Cisco IOS XE flaw, many hosts still hacked
## Exploit released for critical Cisco IOS XE flaw, many hosts still hacked
## Ionut Ilascu
Public exploit code is now available for the critical Cisco IOS XE vulnerability tracked as CVE-2023-20198 that was leveraged as a zero-day to hack tens of thousands of devices.
Cisco released patches for most releases of its IOS XE software but thousands of systems continue to be compromised, internet scans show.
## CVE-2023-20198 exploit details
Researchers at Horizon3.ai, a company providing security assessment services, have shared details on how an attacker can bypass authentication on Cisco IOS XE devices vulnerable to CVE-2023-20198.
In a technical report today, the researchers show how hackers can exploit the maximum severity security issue to create a new user with level 15 privileges
Bleepingcomputer
Cisco patches IOS XE zero-days used to hack over 50,000 devices
blogs_bleepingcomputer·2023-10-23·CVSS 10.0
CVE-2023-20198 [CRITICAL] Cisco patches IOS XE zero-days used to hack over 50,000 devices
## Cisco patches IOS XE zero-days used to hack over 50,000 devices
## Ionut Ilascu
Cisco has addressed the two vulnerabilities (CVE-2023-20198 and CVE-2023-20273) that hackers exploited to compromise tens of thousands of IOS XE devices over the past week.
The free software release comes after a threat actor leveraged the security issues as zero-days to compromise and take full control of more than 50,000 Cisco IOS XE hosts.
## Critical and medium-severity flaws
In an update to the original advisory, Cisco says that the first fixed software release is available from the company’s Software Download Center .
At the moment, the first fixed release available is 17.9.4a, with updates to roll out at a yet undisclosed date.
17.9
17.9.4a
Yes
17.6
17.6.6a
TBD
17.3
17.3.8a
TBD
16.12 (
Checkpoint
23rd October – Threat Intelligence Report
blogs_checkpoint·2023-10-23
CVE-2023-22515 23rd October – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 23rd October – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 23rd October, please download our Threat_Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Attackers have gained access to parts of the network of the cloud identity authentication giant Okta. The hackers managed to gain access to the firm’s support unit for at least two weeks and have attempted to use tokens copied from support tickets to access the firm’s customers’ networks. Reportedly, the firm only became
Bleepingcomputer
Hackers update Cisco IOS XE backdoor to hide infected devices
blogs_bleepingcomputer·2023-10-22·CVSS 10.0
CVE-2023-20198 [CRITICAL] Hackers update Cisco IOS XE backdoor to hide infected devices
## Hackers update Cisco IOS XE backdoor to hide infected devices
## Lawrence Abrams
10/23/23 update added at the end explaining the cause of decreased detections.
The number of Cisco IOS XE devices detected with a malicious backdoor implant has plummeted from over 50,000 impacted devices to only a few hundred after the attackers updated the backdoor to hide infected systems from scans.
This week, Cisco warned that hackers exploited two zero-day vulnerabilities , CVE-2023-20198 and CVE-2023-20273, to hack over 50,000 Cisco IOS XE devices to create privileged user accounts and install a malicious LUA backdoor implant.
This LUA implant allows the threat actors to remotely execute commands at privilege level 15 , the highest privilege level on the device.
However, this implant does not i
Bleepingcomputer
Cisco discloses new IOS XE zero-day exploited to deploy malware implant
blogs_bleepingcomputer·2023-10-20·CVSS 7.2
CVE-2023-20273 [HIGH] Cisco discloses new IOS XE zero-day exploited to deploy malware implant
## Cisco discloses new IOS XE zero-day exploited to deploy malware implant
## Sergiu Gatlan
Cisco disclosed a new high-severity zero-day (CVE-2023-20273) today, actively exploited to deploy malicious implants on IOS XE devices compromised using the CVE-2023-20198 zero-day unveiled earlier this week.
The company said it found a fix for both vulnerabilities and estimates it will be released to customers via the Cisco Software Download Center over the weekend, starting October 22.
"Fixes for both CVE-2023-20198 and CVE-2023-20273 are estimated to be available on October 22. The CVE-2021-1435 that had previously been mentioned is no longer assessed to be associated with this activity," Cisco said today.
On Monday, Cisco disclosed that unauthenticated attackers have been exploiting the CVE
Talos
More helpful resources for users of all skill levels to help you Take a Security Action
blogs_talos·2023-10-19·CVSS 10.0
[CRITICAL] More helpful resources for users of all skill levels to help you Take a Security Action
## More helpful resources for users of all skill levels to help you Take a Security Action
Welcome to this week’s edition of the Threat Source newsletter.
I continue to be saddened by all the conflict in Israel and Gaza that’s still ongoing. I’ll be back with a “normal” newsletter next week, as unfortunately, there doesn’t seem to be a peaceful solution coming any time soon.
In the meantime, I just wanted to use this space again to provide a roundup of the best resources I found this week for Cybersecurity Awareness Month. Taking a “Security Action” of any kind — whether it be simply enabling multi-factor authentication for your online banking login or marking that weird email as spam — can go a long way toward you and any organizations you’re a part of be more security resilient.
The
Unit42
Threat Brief: Cisco IOS XE Web UI Privilege Escalation Vulnerability (Updated)
blogs_unit42·2023-10-19·CVSS 10.0
CVE-2023-20198 [CRITICAL] Threat Brief: Cisco IOS XE Web UI Privilege Escalation Vulnerability (Updated)
Threat Research Center
High Profile Threats
Vulnerabilities
## Threat Brief: Cisco IOS XE Web UI Privilege Escalation Vulnerability (Updated)
Unit 42
Published: October 18, 2023
High Profile Threats
Threat Research
Vulnerabilities
Cisco
CVE-2023-20198
## Executive Summary
On Oct. 16, 2023, Cisco published a security advisory detailing an actively exploited privilege escalation zero-day vulnerability impacting Cisco IOS XE devices. The vulnerability (CVE-2023-20198) has a criticality score of 10, according to the National Vulnerability Database , and it would allow an attacker to create an account with the highest privileges possible.
According to our attack surface telemetry from Cortex Xpanse , analysts observed 22,074 implanted IOS XE devices on Oct. 18, 2023. Telemetry
Bleepingcomputer
Over 40,000 Cisco IOS XE devices infected with backdoor using zero-day
blogs_bleepingcomputer·2023-10-19·CVSS 10.0
CVE-2023-20198 [CRITICAL] Over 40,000 Cisco IOS XE devices infected with backdoor using zero-day
## Over 40,000 Cisco IOS XE devices infected with backdoor using zero-day
## Ionut Ilascu
More than 40,000 Cisco devices running the IOS XE operating system have been compromised after hackers exploited a recently disclosed maximum severity vulnerability tracked as CVE-2023-20198.
There is no patch or a workaround available and the only recommendation for customers to secure the devices is to “disable the HTTP Server feature on all internet-facing systems.”
Networking gear running Cisco IOS XE includes enterprise switches, industrial routers, access points, wireless controllers, aggregation, and branch routers.
## Tens of thousands of Cisco devices exposed
Initial estimates of breached Cisco IOS XE devices were around 10,000 and the number started growing as security researchers scan
Talos
More helpful resources for users of all skill levels to help you Take a Security Action
blogs_talos·2023-10-19·CVSS 10.0
[CRITICAL] More helpful resources for users of all skill levels to help you Take a Security Action
Welcome to this week’s edition of the Threat Source newsletter.
I continue to be saddened by all the conflict in Israel and Gaza that’s still ongoing. I’ll be back with a “normal” newsletter next week, as unfortunately, there doesn’t seem to be a peaceful solution coming any time soon.
In the meantime, I just wanted to use this space again to provide a roundup of the best resources I found this week for Cybersecurity Awareness Month. Taking a “Security Action” of any kind — whether it be simply enabling multi-factor authentication for your online banking login or marking that weird email as spam — can go a long way toward you and any organizations you’re a part of be more security resilient.
- The Annual Cybersecurity Attitudes and Behaviors Report 2023 (National Cybersecurity Alliance)
Unit42
Threat Brief: Cisco IOS XE Web UI Privilege Escalation Vulnerability (Updated)
blogs_unit42·2023-10-19·CVSS 10.0
CVE-2023-20198 [CRITICAL] Threat Brief: Cisco IOS XE Web UI Privilege Escalation Vulnerability (Updated)
## Executive Summary
On Oct. 16, 2023, Cisco published a security advisory detailing an actively exploited privilege escalation zero-day vulnerability impacting Cisco IOS XE devices. The vulnerability (CVE-2023-20198) has a criticality score of 10, according to the National Vulnerability Database, and it would allow an attacker to create an account with the highest privileges possible.
According to our attack surface telemetry from Cortex Xpanse, analysts observed 22,074 implanted IOS XE devices on Oct. 18, 2023. Telemetry as of Oct. 19, 2023 shows 18,359 impacted devices, and we expect the number to continue to decrease as the implant is no longer persistent. (Note: Implant is a term commonly used to describe a backdoor or malware.)
Cisco recommends customers disable the HTTP Server fe
Qualys
Critical Cisco 0day Exploited – Do you have Blind Spots in your Risk Management? | Qualys
blogs_qualys·2023-10-17·CVSS 10.0
[CRITICAL] Critical Cisco 0day Exploited – Do you have Blind Spots in your Risk Management? | Qualys
#### Table of Contents
- How Does the Qualys Platform Elevate Your Cybersecurity?
In the dynamic realm of cybersecurity, the importance of exhaustive vulnerability management and robust risk assessment is paramount. While agent-based solutions have garnered favor among organizations bolstering their cyber protections, it prompts the question: “Is an agent-only strategy truly enough?” While agents provide invaluable insights, a well-rounded understanding and comprehensive risk assessment may require a broader perspective. Data from the National Vulnerability Database (NVD) shows that 82% of high-risk vulnerabilities are associated with a network access vector, underscoring that the vast majority can be exploited remotely.
Fig 1: Attack Vector Analysis Revealing Network Dominance in High-
Qualys
Critical Cisco 0day Exploited – Do you have Blind Spots in your Risk Management?
blogs_qualys·2023-10-17·CVSS 10.0
[CRITICAL] Critical Cisco 0day Exploited – Do you have Blind Spots in your Risk Management?
## Table of Contents
How Does the Qualys Platform Elevate Your Cybersecurity?
In the dynamic realm of cybersecurity, the importance of exhaustive vulnerability management and robust risk assessment is paramount. While agent-based solutions have garnered favor among organizations bolstering their cyber protections, it prompts the question: “Is an agent-only strategy truly enough?” While agents provide invaluable insights, a well-rounded understanding and comprehensive risk assessment may require a broader perspective. Data from the National Vulnerability Database (NVD) shows that 82% of high-risk vulnerabilities are associated with a network access vector, underscoring that the vast majority can be exploited remotely.
The recent disclosure of an unpatched critical zero-day vulnerability
Bleepingcomputer
Over 10,000 Cisco devices hacked in IOS XE zero-day attacks
blogs_bleepingcomputer·2023-10-17·CVSS 10.0
CVE-2023-20198 [CRITICAL] Over 10,000 Cisco devices hacked in IOS XE zero-day attacks
## Over 10,000 Cisco devices hacked in IOS XE zero-day attacks
## Sergiu Gatlan
Update October 17, 16:40 EDT: Added new information on breached Cisco IOS XE devices.
Update October 18, 05:06 EDT: Orange Cyberdefense CERT discovered over 34.5K Cisco IOS XE devices compromised in CVE-2023-20198 attacks.
Attackers have exploited a recently disclosed critical zero-day bug to compromise and infect over 10,000 Cisco IOS XE devices with malicious implants.
The list of products running Cisco IOS XE software includes enterprise switches, aggregation and industrial routers, access points, wireless controllers, and more.
According to threat intelligence company VulnCheck, the maximum severity vulnerability (CVE-2023-20198) has been extensively exploited in attacks targeting Cisco IOS XE systems
Talos
Active exploitation of Cisco IOS XE Software Web Management User Interface vulnerabilities
blogs_talos·2023-10-16·CVSS 7.2
[HIGH] Active exploitation of Cisco IOS XE Software Web Management User Interface vulnerabilities
## Active exploitation of Cisco IOS XE Software Web Management User Interface vulnerabilities
Updates
Nov. 02 : Identified a third version of the BadCandy implant. Added expected response from the new version of the implant against one of the HTTP requests used to check for infected device.
Nov. 1: Observed increase in exploitation attempts since the publication of the proofs-of-concept (POCs) of the exploits involved. Named the Lua-based web shell “BadCandy.”
Oct. 23: Identified an updated version of the implant. Provided new curl command to check for infected devices. Fixes for CVE-2023-20198 and CVE-2023-20273 started to roll out on Oct. 22.
Oct. 20: Identified an additional vulnerability (CVE-2023-20273) that is exploited to deploy the implant. Fixes for both CVE-2023-20198 and CV
Tenable
CVE-2023-20198: Zero-Day Vulnerability in Cisco IOS XE Exploited in the Wild
blogs_tenable·2023-10-16·CVSS 10.0
[CRITICAL] CVE-2023-20198: Zero-Day Vulnerability in Cisco IOS XE Exploited in the Wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Talos
Active exploitation of Cisco IOS XE Software Web Management User Interface vulnerabilities
blogs_talos·2023-10-16·CVSS 7.2
[HIGH] Active exploitation of Cisco IOS XE Software Web Management User Interface vulnerabilities
Updates
Nov. 02: Identified a third version of the BadCandy implant. Added expected response from the new version of the implant against one of the HTTP requests used to check for infected device.
Nov. 1: Observed increase in exploitation attempts since the publication of the proofs-of-concept (POCs) of the exploits involved. Named the Lua-based web shell “BadCandy.”
Oct. 23: Identified an updated version of the implant. Provided new curl command to check for infected devices. Fixes for CVE-2023-20198 and CVE-2023-20273 started to roll out on Oct. 22.
Oct. 20: Identified an additional vulnerability (CVE-2023-20273) that is exploited to deploy the implant. Fixes for both CVE-2023-20198 and CVE-2023-20273 are estimated to be available on Oct. 22. The CVE-2021-1435 that had previously bee
Bleepingcomputer
Cisco warns of new IOS XE zero-day actively exploited in attacks
blogs_bleepingcomputer·2023-10-16·CVSS 7.2
CVE-2023-20198 [HIGH] Cisco warns of new IOS XE zero-day actively exploited in attacks
## Cisco warns of new IOS XE zero-day actively exploited in attacks
## Sergiu Gatlan
Cisco warned admins today of a new maximum severity authentication bypass zero-day in its IOS XE software that lets unauthenticated attackers gain full administrator privileges and take complete control of affected routers and switches remotely.
The company says the critical vulnerability (tracked as CVE-2023-20198 and still waiting for a patch) only affects devices with the Web User Interface (Web UI) feature enabled, which also have the HTTP or HTTPS Server feature toggled on.
"Cisco has identified active exploitation of a previously unknown vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software (CVE-2023-20198) when exposed to the internet or untrusted networks," the compa
Recorded Future
Recorded Future Briefing | Munich Security Conference 2025 Insights by Insikt Group
blogs_recorded_future
Recorded Future Briefing | Munich Security Conference 2025 Insights by Insikt Group
## Munich Security Conference
## Insikt Group Briefing - February 13th 2025
## Overview
This document provides an overview of Recorded Future’s Insikt Group intelligence reporting and analysis published during the 2025 Munich Security Conference. Links to the full reports are included.
## Subject
Adversarial Actors — China, Russia, Iran, and North Korea — are adapting to and exploiting Western openness and fragmentation through hostile cyber, economic, and military actions.
## Reporting and Analysis
The Risk of a Taiwan Invasion Is Rising Fast
Russian Influence Operations Target German Elections
RedMike (Salt Typhoon) Exploits Vulnerable Cisco Devices of Global Telecommunications Providers
Inside the Scam: North Koreaʼs IT Worker Threat
## The Risk of a Taiwan Invasion Is Rising
Greynoiseio
NoiseLetter
blogs_greynoiseio
NoiseLetter
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Recorded Future
RedMike Cyber Attack on Cisco Devices in Telecommunications
blogs_recorded_future·CVSS 10.0
[CRITICAL] RedMike Cyber Attack on Cisco Devices in Telecommunications
## RedMike (Salt Typhoon) Exploits Cisco Vulnerabilities for Cyber Espionage
## RedMike (Salt Typhoon) Targets Cisco Telecom Networks
Between December 2024 and January 2025, Recorded Future’s Insikt Group identified a campaign exploiting unpatched internet-facing Cisco network devices primarily associated with global telecommunications providers. Victim organizations included a United States-based affiliate of a United Kingdom-based telecommunications provider and a South African telecommunications provider. Insikt Group attributes this activity to the Chinese state-sponsored threat activity group tracked by Insikt Group as RedMike, which aligns with the Microsoft-named group Salt Typhoon. Using Recorded Future® Network Intelligence, Insikt Group observed RedMike target and exploit unpat
Greynoiseio
The Fourth Day Of Tagsmas (2023): A Critical Weakness In Cisco IOS XE (CVE-2023-20198)
blogs_greynoiseio·CVSS 10.0
[CRITICAL] The Fourth Day Of Tagsmas (2023): A Critical Weakness In Cisco IOS XE (CVE-2023-20198)
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
NoiseLetter
blogs_greynoiseio·CVSS 10.0
[CRITICAL] NoiseLetter
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
Unpacking CVE-2023-20198: A Critical Weakness In Cisco IOS XE:
blogs_greynoiseio·CVSS 10.0
[CRITICAL] Unpacking CVE-2023-20198: A Critical Weakness In Cisco IOS XE:
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Recorded Future
Recorded Future Briefing | Munich Security Conference 2025 Insights by Insikt Group
blogs_recorded_future
Recorded Future Briefing | Munich Security Conference 2025 Insights by Insikt Group
# Munich Security Conference
##### Insikt Group Briefing - February 13th 2025
### Overview
This document provides an overview of Recorded Future’s Insikt Group intelligence reporting and analysis published during the 2025 Munich Security Conference. Links to the full reports are included.
### Subject
Adversarial Actors — China, Russia, Iran, and North Korea — are adapting to and exploiting Western openness and fragmentation through hostile cyber, economic, and military actions.
### Reporting and Analysis
1. The Risk of a Taiwan Invasion Is Rising Fast
2. Russian Influence Operations Target German Elections
3. RedMike (Salt Typhoon) Exploits Vulnerable Cisco Devices of Global Telecommunications Providers
4. Inside the Scam: North Koreaʼs IT Worker Threat
### The Risk of a Taiwan Inva
Greynoiseio
Case Study: Detecting Cisco IOS XE Emerging Exploitation
blogs_greynoiseio
Case Study: Detecting Cisco IOS XE Emerging Exploitation
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Recorded Future
RedMike Cyber Attack on Cisco Devices in Telecommunications
blogs_recorded_future·CVSS 10.0
[CRITICAL] RedMike Cyber Attack on Cisco Devices in Telecommunications
# RedMike (Salt Typhoon) Exploits Cisco Vulnerabilities for Cyber Espionage
## RedMike (Salt Typhoon) Targets Cisco Telecom Networks
Between December 2024 and January 2025, Recorded Future’s Insikt Group identified a campaign exploiting unpatched internet-facing Cisco network devices primarily associated with global telecommunications providers. Victim organizations included a United States-based affiliate of a United Kingdom-based telecommunications provider and a South African telecommunications provider. Insikt Group attributes this activity to the Chinese state-sponsored threat activity group tracked by Insikt Group as RedMike, which aligns with the Microsoft-named group Salt Typhoon. Using Recorded Future® Network Intelligence, Insikt Group observed RedMike target and exploit unpatc
arXiv
ReposVul: A Repository-Level High-Quality Vulnerability Dataset
arxiv_fulltext·2024-02-08
ReposVul: A Repository-Level High-Quality Vulnerability Dataset
: A Repository-Level High-Quality Vulnerability Dataset
Xinchen Wang^
Harbin Institute of Technology,
Shenzhen
China
[email protected]
Ruida Hu^
Harbin Institute of Technology,
Shenzhen
China
[email protected]
Cuiyun Gao^
Harbin Institute of Technology,
Shenzhen
China
[email protected]
Xin-Cheng Wen
Harbin Institute of Technology,
Shenzhen
China
[email protected]
Yujia Chen
Harbin Institute of Technology,
Shenzhen
China
[email protected]
Qing Liao
Harbin Institute of Technology,
Shenzhen
China
[email protected]
^ These authors contribute to the work equally and are co-first authors of the paper.
^ Corresponding author. The author is also affiliated with Peng Cheng Laboratory and Guangdong Provincial Key Laboratory of Novel Security Intelligence T
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4zhttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4zhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-20198
2023-10-16
Published
2023-10-16
Added to CISA KEV
Exploited in the wild