Critical Cisco IOS XE Vulnerability Under Active Exploitation; Thousands of Devices Compromised
A critical zero-day vulnerability in Cisco IOS XE software is being actively exploited, with security researchers identifying over 40,000 compromised devices worldwide.
Security researchers are warning that a critical zero-day vulnerability in Cisco IOS XE software is being actively exploited in the wild, with estimates suggesting more than 40,000 devices have already been compromised.
The vulnerability, tracked as CVE-2026-20198, carries a maximum CVSS score of 10.0 and allows unauthenticated remote attackers to gain full administrative access to affected devices. The flaw exists in the web user interface feature of Cisco IOS XE Software.
"We're seeing widespread exploitation across multiple sectors," said Dr. Helena Vasquez, threat intelligence lead at ShadowStack Security. "The attackers are creating privileged accounts and deploying implants that persist even after reboots."
Cisco has released a security advisory acknowledging the vulnerability and urging customers to disable the HTTP Server feature on internet-facing systems as an immediate mitigation. A patch is expected within the next 48 hours.
The affected devices include enterprise switches, routers, and wireless controllers running IOS XE with the web UI feature enabled. Organizations in healthcare, financial services, and government sectors appear to be among the most heavily targeted.
Security firm Volexity, which first identified the in-the-wild exploitation, noted that the attackers appear to be sophisticated and are taking steps to maintain persistence on compromised devices.
CISA has added the vulnerability to its Known Exploited Vulnerabilities catalog and is urging federal agencies to apply mitigations immediately.