Cisco has released fixes to address two vulnerabilities \u2013 CVE-2023-20198 and CVE-2023-20273 \u2013 that hackers exploited to compromise tens of thousands of IOS XE devices.\n\nCVE-2023-20198 could allow a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system. CVE-2023-20198 has been assigned a CVSS Score of 10.0.\n\nCVE-2023-20273 could enable a remote, authenticated attacker to inject arbitrary commands as the root user. CVE-2023-20273 has been assigned a CVSS Score of 7.2.\n\nThe UK National Cyber Security Centre (NCSC) urged organisations to mitigate the Cisco IOS XE vulnerabilities and follow vendor best practices. The NCSC said it is working with UK organisations known to be impacted and has notified affected business signed up for the NCSC Early Warning service.\n\nVulnerabilities affect Cisco IOS XE Software if web UI feature is enabled\n\nCVE-2023-20198 and CVE-2023-20273 affect Cisco IOS XE Software if the web UI feature is enabled, Cisco said in its advisory. The web UI is an embedded GUI-based system-management tool that provides the ability to provision the system, to simplify system deployment and manageability, and to enhance the user experience. The web UI feature is enabled through the ip http server or ip http secure-server commands.\n\n\u201cCisco strongly recommends that customers disable the HTTP Server feature on all internet-facing systems or restrict its access to trusted source addresses,\u201d the company wrote. \u201cTo disable the HTTP Server feature, use the no ip http server or no ip http secure-server command in global configuration mode.\u201d If both the HTTP server and HTTPS server are in use, both commands are required to disable the HTTP Server feature, Cisco added.\n\nThe following decision tree can be used to help determine how to triage an environment and deploy protections, according to Cisco:\n\nAre you running IOS XE?\n\nSeveral Cisco bugs discovered recently\u00a0\n\nCisco has had a busy last two months with six high-to-critical level exploits found in its systems.\n\nCVE-2023-20198, the bug that allows unauthenticated users to create an account on the affected system with "level 15" privileges, was itself discovered by the company while resolving TAC support cases because of an existing detection rule for an older vulnerability, CVE-2021-1435.\n\nAs per the Cisco advisory, there are no workarounds available for the vulnerability and the only recommendation the company provided is to disable the HTTP Server feature on all internet-facing systems until the patches are deployed.\n\nAs for indicators-of-compromise, the company has advised users to look for new or unknown usernames present in the configuration messages, generated each time the Web UI feature is accessed.\n\nCisco, on October 19, confirmed another high severity (CVSS 7.5) HTTP\/2 Rapid Reset vulnerability, CVE-2023-44487, which was collectively reported last week by Google, Amazon AWS, and Cloudflare to have zero-day exploits. The vulnerability allows exploiting a weak HTTP\/2 protocol to generate enormous Distributed Denial of Service (DDoS) attacks.