2 min

Tags in this article

, , ,

Cisco has plugged a serious security hole in the web-based user interface of its IOS XE software. The error makes everyone on the internet break into internal networks, without the need for a password. The company calls on people to install the patch as soon as possible.

Cisco IOS XE is the Linux-based version of the company’s Internetworking operating system (IOS), which is used on many enterprise routers and Catalyst switches. According to the company, the error does not affect the IOS, IOS XR or NX-OS variants.


The vulnerability is monitored as CVE-2019-1904. The error can be abused by a remote attacker, by using a cross-site request forgery (CSRF) attack on affected systems. “The vulnerability is due to too few CSRF protections for the web UI on an affected device. An attacker can exploit this vulnerability by persuading the user of the interface to click on a malicious link,” says Cisco.

In an attack scenario, the exploit may be hidden in rogue advertisements. In an exploit kit it can be converted into a weapon. Cybercriminals can attack internal networks or administrators without triggering alarms. That makes abusing the mistake attractive.

An attacker who successfully abuses the error, can perform all the actions he wants with the same privilege level as the affected user. So, are they administrative privileges, the attacker can change the configuration, execute commands and reload an affected device.


The only way to fix the error is to install the Cisco updates. The vulnerability was discovered by researchers from Red Balloon Security. That’s the same company that discovered Thangrycat, a serious vulnerability that hit the Cisco Trust Anchor module.

The security company also found another remote code execution error in the web interface of IOS XE. This new mistake has no solution yet. However, you can turn off an attack by disabling the HTTP Server function. An exploit code is available for IOS XE vulnerability, but according to Cisco, there is no indication that that code is publicly available.

This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.