If you manage a network that uses Cisco routers or switches, October 2023 brought some alarming news. A critical vulnerability in Cisco IOS XE software has been exploited by hackers to compromise over 50,000 devices worldwide. But what does this mean for you, and more importantly, what should you do about it? This guide breaks down the situation and provides clear, actionable steps for anyone responsible for network equipment.
The vulnerability, known as CVE-2023-20198, scored a perfect 10 out of 10 on the severity scale. That is as bad as it gets. Hackers used it to gain full administrative control of Cisco devices, creating backdoor accounts and installing malicious software. Even more concerning, when security researchers thought the number of infected devices was dropping, it turned out the attackers had simply learned to hide their tracks better.
The Basics
Cisco IOS XE is the operating system that runs on many of Cisco’s most popular routers and switches — the devices that direct internet traffic in offices, data centers, and networks around the world. The vulnerability affects any IOS XE device that has its web management interface turned on and exposed to the internet.
Think of it like leaving your front door open with a sign that says “administrator access available.” Anyone who knows about the vulnerability can walk in, create their own key, and take complete control of your device. They can see all the traffic flowing through it, redirect connections, or use your equipment to attack other targets.
The attack worked in two stages. First, hackers exploited the main vulnerability (CVE-2023-20198) to create a new administrator account with the highest possible privileges. Then they used a second vulnerability (CVE-2023-20273) to install malicious software deep into the device’s file system. This software does not survive a reboot, but while it is running, the hackers have complete control.
Why It Matters
If you are running a business, managing a university network, or responsible for any organization’s internet connectivity, a compromised Cisco device could mean that attackers can intercept traffic, steal credentials, or launch further attacks from within your network. For crypto users and businesses handling digital assets, this is particularly concerning because network-level compromises can expose wallet credentials, API keys, and transaction data.
The scale of the compromise — over 50,000 devices — means this is not a theoretical threat. Real devices in real networks were actually breached. And while Cisco has released a patch, many organizations have not yet applied it.
Getting Started Guide
Here is what you should do right now to check and protect your Cisco devices:
Step 1: Identify which of your devices run Cisco IOS XE. Log into each device and check the software version. Any device running IOS XE software versions 16.12 through 17.9 could be affected.
Step 2: Check if the web UI is enabled. Connect to your device’s command line interface and run this command: show running-config | include ip http server|secure|active. If you see “ip http server” or “ip http secure-server” in the output, the web UI is enabled and your device was vulnerable.
Step 3: Check for signs of compromise. Look for unusual administrator accounts that you did not create. Examine the device’s logs for unexpected configuration changes. Check if any new users have been added at privilege level 15.
Step 4: Apply the patch. Cisco has released version 17.9.4a as the first fixed release. If you cannot update immediately, disable the web UI feature entirely by running: no ip http server and no ip http secure-server.
Step 5: Reboot your device. Since the malicious implant does not survive a reboot, restarting your device will remove any active malware — but only if you have already disabled the web UI or applied the patch to prevent reinfection.
Common Pitfalls
Many organizations make the mistake of assuming that because their devices are behind a firewall, they are safe. However, if the web UI is enabled and reachable from any part of the network — even indirectly — the device could be compromised through lateral movement from another infected system.
Another common error is checking for implants using only the method that the attackers know about. The hackers modified their malware to hide from the most common detection technique. Use multiple detection methods and consider engaging a professional security firm for a thorough forensic review.
Do not assume the threat is over just because the number of visible compromised devices dropped. Fox-IT researchers found that 37,890 devices were still infected even after the visible count dropped to just 107. The attackers simply got better at hiding.
Next Steps
After you have checked your devices and applied the patch, establish a regular cadence for reviewing security advisories from your network equipment vendors. Subscribe to Cisco’s security alerts and consider implementing automated vulnerability scanning across your infrastructure.
For crypto businesses and users, this incident underscores the importance of network-level security. Your hot wallets, exchange accounts, and API credentials are only as secure as the network infrastructure that connects you to them. A compromised router can expose everything.
Finally, consider network segmentation as a long-term strategy. Your critical infrastructure — devices handling financial transactions, wallet services, or sensitive data — should be on isolated network segments with strictly controlled access. The less exposed your critical devices are, the smaller the blast radius when vulnerabilities like this one are discovered.
Disclaimer: This article is for educational purposes only and does not constitute professional IT or security advice. Consult with qualified network security professionals for guidance specific to your organization.
50k devices compromised and the attackers learned to hide implants AFTER researchers started scanning. the counter going down wasnt recovery, it was evasion
cve_dive_ the QA on those implants was professional grade. multiple iterations with testing. this was a team with resources, not some random threat actor
ran the curl check across 80 devices via ansible in 10 minutes. should be the first thing in any playbook when a 10.0 CVSS drops on network gear
the guide is solid but the scary part was the attackers hiding their implants after researchers started scanning. drop off was fake
CVE scored 10/10 and the implants were hiding while researchers thought they were winning. state level tradecraft on network gear is terrifying
state-level is exactly right. the implant code showed multiple iterations with QA testing. this was a professional team not a random attacker fumbling in the dark
cisco_madness the implants hiding while researchers declared victory was the scariest part. active counterintelligence on router firmware
wish this came out a week earlier. spent 3 days checking our estate manually. the curl command to check for the implant was a lifesaver though
we had the same scramble. ended up writing a script to run that curl check across all 120 devices via ansible. took 15 minutes instead of 3 days
spent a week checking 40+ devices across our org after this. the curl command saved us hours. should be pinned in every neteng slack
we did the same. ansible + that curl check across 200 devices in about 20 min. should be standard playbook material
50,000+ compromised devices and the actual number was probably higher. the counter going down meant attackers learned to hide implants not that devices were clean
CVE-2023-20198 scoring 10/10 and affecting 50k+ devices. if you manage cisco gear and havent patched yet, drop everything
the 10/10 CVSS score and the fact that it needed web UI enabled means a lot of internal-only devices were safe. but any cisco box exposed to the internet was basically a sitting duck
the web UI requirement is what made it so sneaky. every admin assumes internal = safe until they find a default route exposing it
the web UI assumption is what kills people. internal management interfaces get exposed through misconfigured NAT or default routes more often than anyone admits