Cisco discovers a second actively exploited zeroday in iOS XE and will release a fix on Sunday

Cisco has discovered a second zero-day vulnerability in its iOS XE software. This leak, together with the previously found bug, is actively used to completely take over routers and switches. Cisco says it has found a fix for both vulnerabilities that will be released on October 22.

In an update let Cisco know that it has discovered more information about the CVE-2023-20198vulnerability that the company disclosed earlier this week. Cisco initially thought that hackers with this vulnerability could completely take over routers and switches, but now says that this vulnerability only allowed them to create ‘a local user and password combination’ and gain ‘normal’ user access. However, another vulnerability, that CVE-2023-20273 are used to gain root privileges and thus gain full control over the device. The previously discovered bug has a CVSS severity score of 10 out of 10, and the new one has a score of 7.2 out of 10.

The bug affects devices that use the IOS XE web UI in combination with the HTTP or Https Server features. Cisco says it has found a solution, and the first software updates with a fix will be made available on Sunday, October 22, via the Cisco Software Download Center. Until then, the company recommends that users disable the HTTP Server or Https Server features.

Cisco does not mention how many users may be affected by these vulnerabilities. The non-profit security organization Shadowserver said on Friday that approximately 37,000 IOS Therefore, the company expects that around 19,000 devices have actually been attacked so far.