Cisco has warned of a zero-day exploit in Cisco IOS XE Software Web Management User Interface, and the company strongly advises users to shut down the attack.

Organizations should look for unexplained or newly created users on devices as evidence of potentially malicious activity relating to this threat. One method to identify if the implant is present is to run the following command against the device, where the "DEVICEIP” portion is a placeholder for the IP address of the device to check:

Full info here [blog.talosintelligence.com...]