Cisco’s recently disclosed Web UI-based critical zero-day has been confirmed to have more than 40,000 infected hosts, with over a fourth in the US alone.
Closely tracking Cisco’s Web UI privilege escalation vulnerability (dubbed CVE-2023-20198), cybersecurity research firm Censys revealed that the number of compromised devices went down slightly on October 19 following hefty jumps in the previous two days.
“In the past 24 hours since our last update on the ongoing compromises, there’s both promising and concerning news,” Censys said in a blog post. “While the initial surge of compromises appears to have diminished, we’re now grappling with a substantial number of compromised routers.”
On October 16, Cisco issued an advisory against a high severity (CVSS 10) vulnerability in the web interface feature on the devices running the IOS XE software. The bug allowed unauthenticated privilege escalation and had active exploitation in the wild.
The US and Philippines lead in affected hosts
Censys research found a total of 36,541 actively infected devices as of October 19, noting that about 5,400 devices were taken down (by taking them offline or deactivating UI features) within 24 hours.
The vulnerability impacted Cisco devices in several countries, including the US, Philippines, Mexico, Chile, and India. A total of 6,509 affected hosts were reported in the US on October 18, almost a 40% jump within 24 hours, with 4,659 devices reported the day before. The Philippines served a close second with 3,966 and 3,224 devices on the respective days.