{"id":49043,"date":"2024-01-03T12:00:22","date_gmt":"2024-01-03T11:00:22","guid":{"rendered":"https:\/\/dev.secuinfra.com\/cisco-ios-xe-vulnerability-cve-2023-20198-thousands-of-internet-exposed-devices-potentially-compromised\/"},"modified":"2025-01-23T12:18:58","modified_gmt":"2025-01-23T11:18:58","slug":"cisco-ios-xe-vulnerability-cve-2023-20198-thousands-of-internet-exposed-devices-potentially-compromised","status":"publish","type":"post","link":"https:\/\/testing.secuinfra.com\/en\/techtalk\/cisco-ios-xe-vulnerability-cve-2023-20198-thousands-of-internet-exposed-devices-potentially-compromised\/","title":{"rendered":"Cisco IOS XE Vulnerability CVE-2023-20198 \u2013 thousands of internet-exposed devices potentially compromised!"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_83 counter-flat ez-toc-counter ez-toc-white ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">[inhalt_uebersetzt]<\/p>\n<span class=\"ez-toc-title-toggle\"><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/testing.secuinfra.com\/en\/techtalk\/cisco-ios-xe-vulnerability-cve-2023-20198-thousands-of-internet-exposed-devices-potentially-compromised\/#Updates\" >Updates<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/testing.secuinfra.com\/en\/techtalk\/cisco-ios-xe-vulnerability-cve-2023-20198-thousands-of-internet-exposed-devices-potentially-compromised\/#What_is_known_so_far\" >What is known so far<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/testing.secuinfra.com\/en\/techtalk\/cisco-ios-xe-vulnerability-cve-2023-20198-thousands-of-internet-exposed-devices-potentially-compromised\/#Affected_Devices\" >Affected Devices<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/testing.secuinfra.com\/en\/techtalk\/cisco-ios-xe-vulnerability-cve-2023-20198-thousands-of-internet-exposed-devices-potentially-compromised\/#Indicators_of_Compromise\" >Indicators of Compromise<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/testing.secuinfra.com\/en\/techtalk\/cisco-ios-xe-vulnerability-cve-2023-20198-thousands-of-internet-exposed-devices-potentially-compromised\/#Mitigations\" >Mitigations<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/testing.secuinfra.com\/en\/techtalk\/cisco-ios-xe-vulnerability-cve-2023-20198-thousands-of-internet-exposed-devices-potentially-compromised\/#How_we_can_help\" >How we can help<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/testing.secuinfra.com\/en\/techtalk\/cisco-ios-xe-vulnerability-cve-2023-20198-thousands-of-internet-exposed-devices-potentially-compromised\/#Further_Resources\" >Further Resources<\/a><\/li><\/ul><\/nav><\/div>\n\n<p class=\"wp-block-paragraph\">Edge infrastructure, such as internet-exposed firewalls, routers, VPN-Gateways etc. are a common initial access target for cybercrime and espionage actors since these appliances are challenging to defend.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">According to the vulnerability discovery service LeakIx <a  href=\"https:\/\/twitter.com\/leak_ix\/status\/1714342183141028307\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >as many as 30 thousand internet-exposed Cisco devices<\/a> may already have been compromised through the Zero-Day vulnerability <a  href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-20198\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >CVE-2023-20198<\/a>. Internet census providers such as Shodan suggest that there are about 150 000 CISCO IOS XE devices exposed to the internet right now, so any vulnerable appliance out of those that is not compromised yet, will be attacked in the next few minutes, hours, days. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">According to the Federal Office for Information Security (BSI) of Germany <a  href=\"https:\/\/www.bsi.bund.de\/SharedDocs\/Cybersicherheitswarnungen\/DE\/2023\/2023-275141-1032\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >the threat level is currently rated as level 2 \/ Yellow<\/a>, suggesting a possible temporary risk to business operations.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Updates\"><\/span>Updates<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Visit our <a  href=\"https:\/\/twitter.com\/SI_FalconTeam\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >Twitter profile (X)<\/a> for the latest updates!<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>October 21:<\/strong> <a  href=\"https:\/\/dashboard.shadowserver.org\/statistics\/combined\/time-series\/?date_range=7&amp;source=compromised_website&amp;source=compromised_website6&amp;tag=device-implant%2B&amp;group_by=geo&amp;style=stacked\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >Shadowserver has<\/a> <a  href=\"https:\/\/dashboard.shadowserver.org\/statistics\/combined\/time-series\/?date_range=7&amp;source=compromised_website&amp;source=compromised_website6&amp;tag=device-implant%2B&amp;group_by=geo&amp;style=stacked\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >noticed<\/a> <a  href=\"https:\/\/dashboard.shadowserver.org\/statistics\/combined\/time-series\/?date_range=7&amp;source=compromised_website&amp;source=compromised_website6&amp;tag=device-implant%2B&amp;group_by=geo&amp;style=stacked\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >a significant decrease<\/a> in active implants on the Internet. This was later attributed to changes in the Implant code, evading the current detection mechanism.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>October 23:<\/strong> <a  href=\"https:\/\/sec.cloudapps.cisco.com\/security\/center\/content\/CiscoSecurityAdvisory\/cisco-sa-iosxe-webui-privesc-j22SaA4z\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >Cisco confirms<\/a> a second vulnerability<a  href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-20273\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >(CVE-2023-20273<\/a>) that allows the implant to be inserted into the &#8220;cisco_service.conf&#8221; file. Cisco has released a patch for the latest version of IOS XE 17.9. <a  href=\"https:\/\/twitter.com\/foxit\/status\/1716472673876730149\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >Fox-IT discovered a change in the implant code<\/a> that was rolled out over the weekend that requires an authentication string, we confirmed a <a  href=\"https:\/\/twitter.com\/SI_FalconTeam\/status\/1716497899821941230\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >variant of the 404 deception page<\/a>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>October 28:<\/strong> <a  href=\"https:\/\/twitter.com\/SI_FalconTeam\/status\/1718346358950711807\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >The SECUINFRA Falcon team has identified a new exploit attempt<\/a> attributed to the original attacker. <a href=\"https:\/\/testing.secuinfra.com\/en\/news\/cisco-ios-xe-exploit-secuinfra-catches-attackers\/\">We have shared our findings with other network security experts<\/a> to support the development of new detection mechanisms. Details about the inner workings of the two vulnerabilities are now public, see the blog posts by <a  href=\"https:\/\/www.horizon3.ai\/cisco-ios-xe-cve-2023-20198-deep-dive-and-poc\/\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >Horizon3<\/a> and <a  href=\"https:\/\/blog.leakix.net\/2023\/10\/cisco-root-privesc\/\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >LeakIX<\/a>. With public Proof-of-Concepts the number of exploitation attempts on unpatched appliances is going to increase.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Nov 03:<\/strong> We have captured <a  href=\"https:\/\/twitter.com\/SI_FalconTeam\/status\/1720893479830630803\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >a third version of the Lua implant<\/a>, again attributed to the original attacker. They introduced another HTTP header value to restrict access to the Implant and to disrupt fingerprinting of vulnerable appliances again.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"What_is_known_so_far\"><\/span>What is known so far<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The Authentication Bypass vulnerability CVE-2023-20198 is rated with a CVSS V3 score of 10.0 (the highest possible score). It allows an unauthenticated attacker exploiting the web UI feature to access an internal API to e.g. create an administrative account with level 15 privileges (again, the highest possible). With this access an attacker can gain full control of the appliance, meaning all data present on it and the device itself should be treated as fully compromised.  <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The Webshell \/ Implant is installed through a command injection vulnerability CVE-2023-20273 in the <code>installAdd<\/code>function that is caused through improper input validation of the ipaddress parameter.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In a technical advisory Cisco Talos describes a Lua Webshell\/Implant that was inserted into the configuration of affected devices after automated exploitation of the vulnerability. It allows the attackers to issue IOX commands with Privilege-Level 15 and thereby changing arbitrary system configuration settings. The Implant does not persist through a reboot of the appliance.  <\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img fetchpriority=\"high\" decoding=\"async\" width=\"962\" height=\"625\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/Lua-WebshellImplant-V1-1.png\" alt=\"\" class=\"wp-image-56629\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/Lua-WebshellImplant-V1-1.png 962w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/Lua-WebshellImplant-V1-1-800x520.png 800w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/Lua-WebshellImplant-V1-1-768x499.png 768w\" sizes=\"(max-width: 962px) 100vw, 962px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 1: Lua Webshell\/Implant V1 (Source: Cisco Talos)<\/em><\/figcaption><\/figure>\n\n\n\n<p class=\"has-text-align-center wp-block-paragraph\">Below you can see screenshots of the third version of the Implant as captured on November 3rd:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1600\" height=\"785\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/abbildung2-1-1600x785.jpg\" alt=\"\" class=\"wp-image-56752\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abbildung2-1-1600x785.jpg 1600w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abbildung2-1-800x392.jpg 800w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abbildung2-1-768x377.jpg 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abbildung2-1-1536x753.jpg 1536w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abbildung2-1-2048x1004.jpg 2048w\" sizes=\"(max-width: 1600px) 100vw, 1600px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 2: Lua Webshell\/Implant V3 (Source: SECUINFRA Falcon Team)<\/em><\/figcaption><\/figure>\n\n\n\n<p class=\"has-text-align-center wp-block-paragraph\"><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Affected_Devices\"><\/span>Affected Devices<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">At the time of writing the <a  href=\"https:\/\/sec.cloudapps.cisco.com\/security\/center\/content\/CiscoSecurityAdvisory\/cisco-sa-iosxe-webui-privesc-j22SaA4z\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >Cisco advisory<\/a>, there is no exact overview of the affected IOS XE versions or devices, only the information that the vulnerability may be present on both physical and virtualized appliances. <a  href=\"https:\/\/www.cisco.com\/c\/en\/us\/products\/ios-nx-os-software\/ios-xe\/index.html#~products\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >According to Cisco\u2019s documentation<\/a> affected products may include enterprise switches, wireless controllers, access points and a broad selection of router products, e.g. from the Catalyst, ASR, CSR, CBR, ISR, IR and NCS series.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Indicators_of_Compromise\"><\/span>Indicators of Compromise<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Provided by Cisco<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">During automated exploitation of Cisco appliances threat actors are currently using the following usernames during the creation of administrative accounts:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The admin panel and system logs of possibly compromised appliances should be reviewed for newly created and unknown user accounts.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">There have been two observed systems actively scanning for \/ exploiting this vulnerability, although this number will likely increase quickly. 5.149.249[.]74 154.53.56[.]231<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">With the following command (replacing DEVICEIP with the IP address of your appliance) administrators can check for the presence of the implant on the appliance. If a hexadecimal string is returned this may suggest that the device has been compromised already.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Findings from our Honeypots<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">We are using Honeypots with different Software versions to gauge exploitation activity and to gain insight into attacker TTPs. To contribute to detection and research efforts of the wider cybersecurity community are publishing captured exploitation logs in our <a  href=\"https:\/\/github.com\/SIFalcon\/research\/tree\/main\/CVE-2023-20198\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >Research<\/a> GitHub repository.  Below you can see an overview of our current honeypot infrastructure:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1600\" height=\"1224\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/abbildung3-1-1600x1224.png\" alt=\"\" class=\"wp-image-56754\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abbildung3-1-1600x1224.png 1600w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abbildung3-1-800x612.png 800w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abbildung3-1-768x587.png 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abbildung3-1-1536x1175.png 1536w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abbildung3-1-2048x1566.png 2048w\" sizes=\"(max-width: 1600px) 100vw, 1600px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 3: Our current Honeypot setup<\/em><\/figcaption><\/figure>\n\n\n\n<p class=\"has-text-align-center wp-block-paragraph\"><\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Example Logs<\/h4>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1600\" height=\"340\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/beispiel-logs-1-1600x340.png\" alt=\"\" class=\"wp-image-56756\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/beispiel-logs-1-1600x340.png 1600w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/beispiel-logs-1-800x170.png 800w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/beispiel-logs-1-768x163.png 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/beispiel-logs-1-1536x327.png 1536w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/beispiel-logs-1.png 1673w\" sizes=\"(max-width: 1600px) 100vw, 1600px\" \/><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">Captured IoC<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\">154.53.63[.]93 cisco_support cisco_sys_manager cisco_tac_admin<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">A comprehensive list can be found in <a  href=\"https:\/\/github.com\/SIFalcon\/research\/blob\/main\/CVE-2023-20198\/ioc.txt\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >our GitHub repository<\/a>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Based on the modus operandi of captured attacks and the used infrastrucure, we were able to cluster certain attacking hosts together:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1600\" height=\"1257\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/abbildung4-1-1600x1257.jpg\" alt=\"\" class=\"wp-image-56759\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abbildung4-1-1600x1257.jpg 1600w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abbildung4-1-800x629.jpg 800w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abbildung4-1-768x603.jpg 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abbildung4-1-1536x1207.jpg 1536w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abbildung4-1.jpg 1759w\" sizes=\"(max-width: 1600px) 100vw, 1600px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 4: Overview of attacker infrastructure<\/em><\/figcaption><\/figure>\n\n\n\n<p class=\"has-text-align-center wp-block-paragraph\"><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Mitigations\"><\/span>Mitigations<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">For appliances that are reachable (directly) from the internet Cisco recommends to check if the Web Interface is enabled and reachable from the outside interface, which can be done with this command (true positive): Router# show running-config | include ip http server|secure|active<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><em>ip http server<\/em><br><em>ip http secure-server<\/em><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Should these commands be present with the additional lines \u2013 <em>ip http (secure-)active-session-modules none<\/em> \u2013 the vulnerability is not exploitable via HTTP(S).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>It is highly recommended to disable the web UI on internet-facing appliances for the time being, at least until a patch is available from Cisco.<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">To disable the web UI issue the following command in Global Configuration Mode:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><em>no ip http server<\/em><br><em>no ip http secure-server<\/em><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"How_we_can_help\"><\/span>How we can help<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Do you need support in assessing whether your internet-facing Cisco device has already been compromised? We are happy to assist as soon as possible through a forensic analysis of the network device in question.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Please do not reboot (potentially) affected appliances in case of a pending forensic investigation to preserve evidence in volatile storage.<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In case there is clear evidence of an active compromise on the device itself we recommend to isolate it and conduct a compromise assessment of the adjacent environment to make sure that there are no preparations being made for a larger scale attack, e.g. pre-ransomware activity, lateral movement etc.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We are actively researching this exploitation campaign through honeypots and building custom detection rules for adversary TTPs.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Further_Resources\"><\/span>Further Resources<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><a  href=\"https:\/\/www.rapid7.com\/blog\/post\/2023\/10\/17\/etr-cve-2023-20198-active-exploitation-of-cisco-ios-xe-zero-day-vulnerability\/\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >Rapid7-Advisory<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a  href=\"https:\/\/github.com\/vulncheck-oss\/cisco-ios-xe-implant-scanner\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >Vulncheck Implant-Scanning-Tool<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Edge infrastructure, such as internet-exposed firewalls, routers, VPN-Gateways etc. are a common initial access target for cybercrime and espionage actors since these appliances are challenging to defend. According to the vulnerability discovery service LeakIx as many as 30 thousand internet-exposed Cisco devices may already have been compromised&#8230;<\/p>\n","protected":false},"author":6,"featured_media":49003,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[86,81],"tags":[],"dpc_coauthors":[],"class_list":["post-49043","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-incident-response","category-techtalk"],"acf":[],"_links":{"self":[{"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/posts\/49043","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/comments?post=49043"}],"version-history":[{"count":0,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/posts\/49043\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/media\/49003"}],"wp:attachment":[{"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/media?parent=49043"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/categories?post=49043"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/tags?post=49043"},{"taxonomy":"dpc_coauthors","embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/dpc_coauthors?post=49043"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}