Unpatched Zero-Day being exploited in the wild, Cisco warns

A critical flaw in Cisco's software has paved the way for mass exploitation of the company's network devices. Hackers have been spotted hijacking thousands of Cisco products, a day after the company warned customers about the vulnerability, which has received a 10 out of 10 score for severity.

The flaw, tracked as CVE-2023-20198, is a privilege escalation bug that can be exploited on internet-facing or untrusted networks, Cisco said in its separate advisory. Both physical and virtual devices running Cisco IOS XE software that have the HTTP or HTTPS Server feature enabled are vulnerable to hacking. No patch is available - momentarily - for this maximum CVSS-rated bug.

Because there's no patch or workaround, Cisco "strongly recommends" that customers disable this feature on all internet-facing systems. This also echoes guidance from the USA's Cybersecurity and Infrastructure Security Agency on how to mitigate risk from internet-exposed management interfaces.

"To disable the HTTP Server feature, use the no ip http server or no ip http secure-server command in global configuration mode," Cisco's advisory recommends . "If both the HTTP server and HTTPS server are in use, both commands are required to disable the HTTP Server feature."

Read more -here-

• Disney+, Hulu and Max team up for streaming bundle package
• OpenAI is reportedly working on a search feature for ChatGPT
• TikTok, ByteDance sue to block US law seeking sale or ban of app
• OpenAI partners with Stack Overflow to make models better at coding
• Dropbox breach exposes customer credentials, authentication data
• Google: Passkey authentications top 1 billion across 400 million accounts