Cisco Warns of Actively Exploited Flaw in IOS XE Software Affecting Thousands of Devices

Cisco has disclosed a critical vulnerability (CVE-2026-10247) in its IOS XE software that is being actively exploited in the wild to deploy persistent implants on enterprise routers and switches. The vulnerability affects the web management interface and allows unauthenticated remote code execution.

Threat intelligence firm VulnCheck estimates that over 85,000 internet-facing devices running IOS XE are potentially vulnerable. Initial scans suggest that approximately 12,000 devices have already been compromised with a sophisticated Lua-based implant that survives device reboots.

The implant provides attackers with full control over the device, including the ability to intercept and modify network traffic, create GRE tunnels for data exfiltration, and use the compromised router as a pivot point for deeper network penetration.

Cisco has released IOS XE version 17.12.2 to address the vulnerability and has published indicators of compromise to help organizations detect existing implants. The company recommends disabling the HTTP/HTTPS server feature on all internet-facing devices as an immediate mitigation.

This is the second major IOS XE zero-day in recent years, following a similar incident in October 2023. Network security experts are calling for a fundamental rethinking of how network device management interfaces are exposed to the internet.