Cisco Warns of Mass Exploitation of IOS XE Web UI Vulnerability
Cisco disclosed a critical authentication bypass in IOS XE Web UI affecting thousands of enterprise network devices, with mass exploitation and web shell deployment observed within 48 hours of disclosure.
CVE References
Affected
What happened: Cisco published an emergency advisory for a critical authentication bypass vulnerability in the IOS XE Web UI feature. Within 48 hours of disclosure, threat intelligence firms observed mass exploitation affecting thousands of internet-facing Cisco devices worldwide. Attackers are deploying Lua implants that provide persistent remote access even after the Web UI vulnerability is patched. The exploitation echoes the devastating CVE-2023-20198 campaign that compromised tens of thousands of Cisco devices in late 2023.
Technical details: CVE-2025-39105 allows an unauthenticated remote attacker to create a new privileged local user account on any Cisco IOS XE device with the Web UI (HTTP/HTTPS server) feature enabled. The attacker then uses this account to elevate to privilege level 15 (root equivalent) and deploy a Lua-based implant in the web server's virtual filesystem. The implant operates entirely in memory and survives reboots by embedding itself in the device's startup configuration. The implant provides command execution capability via HTTP requests to a specific URL path on the compromised device.
Who is affected: Any organization running Cisco IOS XE-based switches, routers, or wireless controllers with the Web UI HTTP/HTTPS server feature enabled and accessible from the internet. Enterprise networks, ISPs, and managed service providers commonly deploy these devices. Initial scanning shows over 50,000 potentially vulnerable devices exposed to the internet.
What defenders should do: Disable the IOS XE HTTP/HTTPS server feature immediately if not required. If Web UI access is needed, restrict it to management VLANs and trusted IP addresses only. Check for unauthorized local user accounts and review device configurations for Lua implant indicators. Reboot affected devices and check startup configurations for persistence mechanisms. Apply Cisco patches as soon as available and re-verify device integrity after patching.
Broader implications: The second mass exploitation of Cisco IOS XE devices in two years demonstrates that network infrastructure remains critically underprotected. Many organizations failed to implement the defensive measures recommended after the 2023 campaign, leaving their devices exposed to the same class of vulnerability. The speed of exploitation — from disclosure to mass compromise in under 48 hours — leaves virtually no time for manual patching processes and highlights the need for automated security controls on network infrastructure.
Sources