Cisco has published an updated advisory detailing two vulnerabilities affecting Cisco IOS XE devices. Both are being actively exploited.
CVE-2023-20198 – A remote, unauthenticated attacker could create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system.
CVE-2023-20273 – A remote, authenticated attacker could inject arbitrary commands as the root user.
The NCSC is working with UK organisations known to be impacted and have notified affected UK organisations signed up for the NCSC Early Warning service.
Source: National Cyber Security Centre