{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/cisco-secure-firewall-threat-defense/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["IOS","Cisco Secure Firewall Threat Defense"],"_cs_severities":["high"],"_cs_tags":["cisco","network","privilege escalation","command execution"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eThis threat involves attackers targeting Cisco IOS devices to establish a foothold and execute commands with elevated privileges. The observed technique involves the creation of privileged accounts followed by command execution via HTTP requests. This approach circumvents the need for interactive SSH access, enabling attackers to remotely control the compromised device. This activity has been associated with APT actors. The attacks leverage HTTP GET or POST requests directed towards privileged execution paths, commonly using URLs like \u003ccode\u003e/level/15/exec/-/*\u003c/code\u003e. This allows attackers to gain the highest privilege level (level 15) on Cisco devices, potentially leading to significant network compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the network, potentially through vulnerabilities in other network devices or services.\u003c/li\u003e\n\u003cli\u003eThe attacker scans the network to identify Cisco IOS devices.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits a vulnerability or uses stolen credentials to access the Cisco IOS device.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new privileged account on the Cisco IOS device. This account is typically configured with level 15 privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker uses HTTP GET or POST requests to target privileged execution paths, such as \u003ccode\u003e/level/15/exec/-/*\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThese HTTP requests contain commands that the attacker wants to execute on the Cisco IOS device.\u003c/li\u003e\n\u003cli\u003eThe Cisco IOS device executes the commands with the privileges of the newly created account.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised Cisco IOS device to further explore the network, exfiltrate data, or disrupt network operations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to full compromise of the Cisco device and potentially the entire network. Attackers can use the compromised device to intercept network traffic, disrupt network services, exfiltrate sensitive data, or pivot to other systems within the network. Due to the high privilege level obtained, attackers can modify device configurations, add new users, or disable security features.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable logging for Cisco IOS devices and forward the logs to a SIEM for analysis (reference: search query).\u003c/li\u003e\n\u003cli\u003eEnable and tune the \u0026ldquo;Cisco IOS Suspicious Privileged Account Creation\u0026rdquo; and \u0026ldquo;Cisco Secure Firewall - Privileged Command Execution via HTTP\u0026rdquo; detections in your security tools and ensure they generate risk events on the same entity field (reference: description).\u003c/li\u003e\n\u003cli\u003eInvestigate any correlated risk events generated by this analytic, focusing on devices with recent privileged account creation followed by HTTP command execution (reference: search query).\u003c/li\u003e\n\u003cli\u003eRestrict HTTP access to Cisco IOS devices and enforce strong authentication for all access methods.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit user accounts on Cisco IOS devices to identify and remove any unauthorized accounts.\u003c/li\u003e\n\u003cli\u003eDeploy the provided correlation search to detect correlated risk events between privileged account creation and HTTP command execution (reference: search query).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-28T17:46:52Z","date_published":"2026-05-28T17:46:52Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cisco-priv-account-http-cmd-exec/","summary":"Attackers create privileged accounts on Cisco IOS devices and then execute commands remotely via HTTP to gain privileged access.","title":"Cisco Privileged Account Creation Followed by HTTP Command Execution","url":"https://feed.craftedsignal.io/briefs/2026-05-cisco-priv-account-http-cmd-exec/"}],"language":"en","title":"CraftedSignal Threat Feed — Cisco Secure Firewall Threat Defense","version":"https://jsonfeed.org/version/1.1"}