In the ever-evolving landscape of cybersecurity, keeping up with the latest threats is paramount. This week, a significant vulnerability was unveiled in Cisco's IOS XE Software / Web UI, labeled as CVE-2023-20198. This maximum criticality vulnerability allows a cyber threat actor to remotely exploit many Cisco devices, potentially taking control of an affected device, creating unauthorized administrator-level accounts, and maintaining unauthorized access to the system​. As of October 18, nearly 145,000 internet-facing routers were publicly identifiable as affected through Shodan scans. 

Despite diligent efforts to maintain our own secure networks, one often overlooked aspect is the security posture of our vendor’s networks, which if compromised, could serve as a gateway for cyber threat actors into your system or data. Even if your organization has taken steps to mitigate this recent Cisco vulnerability by updating your Cisco devices, have your vendors done the same? The crux of the issue lies not only in ensuring that your network is secure but extending that security check to your vendor networks, creating a robust security posture that leaves no stone unturned. 

At Fortress Information Security we specialize in managing vendor risk, ensuring that not only your organization but your entire vendor network is protected against the latest threats. Our comprehensive third-party risk management service will help you ascertain whether your vendors have taken the necessary steps to mitigate this recent Cisco vulnerability, providing a thorough analysis of your vendor network's security posture. 

Starting today, we’ve set up a Supply Chain Event Mutual Assistance team to help you collect, manage, and report on your vendor’s response to this critical vulnerability. When you join our information campaign, you will be able to see what vendors have already answered questions regarding IOS XE, but also submit your own vendors to have automated questionnaires and responses processed, aggregated, and reported on their exposure. Don’t spend the next six months chasing vendors to record your risk. We’ll do the leg work to report your risk and let you focus on what matters most to your business.