Cisco released a security fix Sunday to address a critical zero-day vulnerability in Cisco IOS XE software, a spokesperson told Cybersecurity Dive, citing a bulletin from the company. 

An unidentified hacker exploited the web user interface in Cisco IOS XE and installed malicious backdoors in about 42,000 devices worldwide, security researchers estimate.

Following a company investigation, Cisco found the hacker exploited two previously unknown security issues. 

The threat actor exploited CVE-2023-20198, which has a CVSS score of 10, to gain initial access to the system and establish privilege level 15 control, allowing the actor to create a username and password. The user then logged in with normal access. 

The attacker exploited a separate component of the web UI feature and elevated privileges to write an implant into the file system. This second vulnerability, CVE-2023-20273, has a score of 7.2. 

However, prior to the release of the patch Sunday, security researchers at ShadowServer warned they were no longer able to see the vast majority of implanted devices when conducting a scan.

An older vulnerability, listed as CVE-2021-1435, is not associated with these attacks, according to Cisco Talos. 

Cisco said disabling the HTTP feature should help prevent an attack until the fix is released. 

Cisco Talos said it first noticed suspicious activity on Sept. 28, but later found activity began on Sept. 18. Cisco Talos Incident Response and Cisco’s Technical Assistance Center later found an additional cluster of activity on Oct. 12.

“We observed the threat actor gathering information about the device and conducting preliminary reconnaissance,” Cisco Talos officials said in a blog post. 

The hackers also entered several commands to clear logs and remove users in order to cover up the attack,  Cisco Talos researchers said. 

The activities are believed to be from the same hacker, however the identity of that threat actor has not been disclosed.