Public scans have revealed that hackers can easily find 192,038 Cisco network devices exposed on the internet running a service vulnerable to a zero-day flaw. Attackers are actively targeting vulnerable systems, and many of them are likely still unpatched.
Last week, Cisco and cybersecurity authorities sounded the alarm about an ongoing campaign by the “advanced threat actor” exploiting previously unknown critical Cisco vulnerabilities. The flaws enable attackers to escalate privileges and run remote code as root on firewalls.
Censys, the cybersecurity search engine that maps internet-connected devices, warns that it sees 192,038 internet-accessible Cisco routers and switches (running IOS or IOS XE) exposed online with SNMP (Simple Network Management Protocol) services.
“We recommend immediately identifying devices with SNMP running and verifying that they’re patched or mitigated. Due to the critical nature and actively exploited status of this vulnerability, it should be treated with urgency,” Censys said in the advisory.
Last week, Cisco disclosed multiple critical flaws across its product line, including SNMP and Cisco Secure Firewall products (Adaptive Security Appliance, Cisco Secure Firewall Threat Defense, and other software).
SNMP is used for remote device management and monitoring. It was found to be vulnerable to abuse by remote authenticated attackers, who, depending on their privileges, can cause a denial of service or run remote code as root.
While vulnerabilities in Cisco firewalls are even more critical, exposed SNMP services can be easily detected through external scanning. Any attacker can also easily find exposed services on IoT search engines.
This specific SNMP vulnerability affects unpatched Cisco IOS and IOS XE software, including Cisco Catalyst 9300 series switches and Meraki MS390 switches. The vulnerability affects all prior versions of SNMP.
The US Cybersecurity and Infrastructure Security Agency (CISA) released a directive last week, obliging agencies to apply patches within 24 hours.
“The campaign is widespread,” the CISA said last week.
“This activity presents a significant risk to victim networks.”
Cisco has released emergency software updates that address the vulnerabilities, and there are no workarounds to address them.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked