Industry News

Rockwell Automation Warns Customers of Cisco Zero-Day Affecting Stratix Switches

02 November 2023

Unidentified hackers have been exploiting two Cisco IOS XE zero-day vulnerabilities tracked as CVE-2023-20198 and CVE-2023-20273 to create high-privileged accounts on affected devices and deploy a Lua-based implant that gives them complete control of the system.

The cybersecurity community discovered tens of thousands of compromised systems shortly after Cisco disclosed the existence of the first zero-day. 

Rockwell informed customers last week that its Stratix 5800 and 5200 managed industrial Ethernet switches, which use the Cisco IOS XE operating system, are affected by CVE-2023-20198. The devices are only impacted if the IOS XE web UI feature is enabled.

Since it was published before the discovery of the second zero-day, Rockwell’s security advisory does not mention anything about CVE-2023-20273, which attackers have been using to deliver the implant. However, this flaw also impacts IOS XE software, which means that it likely affects Rockwell’s switches as well. 

Rockwell’s advisory says no patches are available, but Cisco did release fixes after the advisory was published. The industrial automation giant has promised to share updates as more information becomes available, but pointed out that it’s not aware of attacks targeting its products.

“While Rockwell Automation has no evidence of active exploitation against the Stratix product line, this vulnerability was discovered by Cisco Talos during an incident response for a Cisco customer,” the company said.  

The US cybersecurity agency CISA published its own advisory on Tuesday to notify organizations of Rockwell’s advisory. 

It’s unclear what the attackers’ goal is at this point. They still have control of tens of thousands of Cisco routers and switches, and they have updated their implant in an effort to maintain control.