Cisco said a patch for two actively exploited zero-day flaws in its IOS XE devices is scheduled to drop on Oct. 22.
The first Cisco zero-day bug, tracked under CVE-2023-20198, was announced on Oct. 16 and has a severity rating of 10 out of 10. At the time it was discovered, it had already allowed threat actors to compromise more than 10,000 Cisco devices.
On Oct. 19, Cisco said it believed the cyberattacks against its IOS XE devices were all being carried out by the same threat actor.
Now, in an Oct. 20 update to its threat advisory, Cisco reported there’s another previously unknown flaw involved, tracked under CVE-2023-20273 — it carries a slightly less scary CVSS score of 7.2.
Both are being used in the same exploit chain. Threat actors used the first bug for initial access, and the second to escalate privileges once authenticated, according to an emailed statement from Cisco announcing the coming patch release.
Cisco also added another clarification from its earlier reporting on the first bug: it was thought in the early response that the threat actor had combined the new zero-day with a known and patched vulnerability from 2021, raising the specter of a patch bypass issue. But Cisco has now dismissed that theory, according to a statement from the company.
“The CVE-2021-1435 that had previously been mentioned is no longer assessed to be associated with this activity,” it said.
Exploitation Could Continue for Years
As Cisco continues to wrap its arms around the breadth of the threat, cybersecurity expert and consultant Immanuel Chavoya expects to see a spike in malicious activity against vulnerable devices in the lead up to the release of the updated version.
“Active exploitation will continue and lead to ransomware probably over this weekend, as threat actors rush to capitalize before any patch or remediation,” he predicts.
But beyond the short-term, Chavoya is dubious many Cisco customers will take the necessary steps to remediate.
“I can tell you from experience many customers do not or will never patch — and are absolutely unaware of the exploitation status currently (SMBs, etc.) — and so thus, exploitation will continue for months or years.”