CVE-2023-20198
Cisco IOS XE Web UI Privilege Escalation Vulnerability - [Actively Exploited]
Description
Cisco is providing an update for the ongoing investigation into observed exploitation of the web UI feature in Cisco IOS XE Software. We are updating the list of fixed releases and adding the Software Checker. Our investigation has determined that the actors exploited two previously unknown issues. The attacker first exploited CVE-2023-20198 to gain initial access and issued a privilege 15 command to create a local user and password combination. This allowed the user to log in with normal user access. The attacker then exploited another component of the web UI feature, leveraging the new local user to elevate privilege to root and write the implant to the file system. Cisco has assigned CVE-2023-20273 to this issue. CVE-2023-20198 has been assigned a CVSS Score of 10.0. CVE-2023-20273 has been assigned a CVSS Score of 7.2. Both of these CVEs are being tracked by CSCwh87343.
INFO
Published Date :
Oct. 16, 2023, 4:15 p.m.
Last Modified :
May 15, 2025, 6:37 p.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CISA KEV (Known Exploited Vulnerabilities)
For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.
Cisco IOS XE Web UI contains a privilege escalation vulnerability in the web user interface that could allow a remote, unauthenticated attacker to create an account with privilege level 15 access. The attacker can then use that account to gain control of the affected device.
Verify that instances of Cisco IOS XE Web UI are in compliance with BOD 23-02 and apply mitigations per vendor instructions. For affected products (Cisco IOS XE Web UI exposed to the internet or to untrusted networks), follow vendor instructions to determine if a system may have been compromised and immediately report positive findings to CISA.
https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-xe-dublin-17121/221128-software-fix-availability-for-cisco-ios.html; https://nvd.nist.gov/vuln/detail/CVE-2023-20198
Affected Products
The following products are affected by CVE-2023-20198
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | CRITICAL | [email protected] | ||||
| CVSS 3.1 | CRITICAL | [email protected] |
Solution
- Refer to the vendor advisory for specific patching and configuration guidance.
- Apply the appropriate updates or patches provided by the vendor.
Public PoC/Exploit Available at Github
CVE-2023-20198 has a 81 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2023-20198.
| URL | Resource |
|---|---|
| https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z | Mitigation Vendor Advisory |
| https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z | Mitigation Vendor Advisory |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2023-20198 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2023-20198
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
None
None
护网2024-POC收录备份
备份的漏洞库,3月开始我们来维护
None
None
Python
CVE POC repo 자동 수집기
Python
None
Analysis, detection, and mitigation of CVE-2023-20198 exploitation in Cisco IOS XE – QUB CSC3064 Network Security Assessment
None
Python Shell HTML JavaScript PowerShell TeX
A go-exploit to scan for implanted Cisco IOS XE Systems cve-2023-20198, go-exploit
Dockerfile Makefile Go
None
HTML
Exploit PoC for CVE-2023-20198
Python
wy876
Python
wy876 POC | wy876的poc仓库已删库,该项目为其仓库镜像
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2023-20198 vulnerability anywhere in the article.
-
CybersecurityNews
Chinese APT Hackers Exploit Router Vulnerabilities to Infiltrate Enterprise Environments
Over the past several years, a concerted campaign by Chinese state-sponsored Advanced Persistent Threat (APT) groups has exploited critical vulnerabilities in enterprise-grade routers to establish lon ... Read more
-
SentinelOne
The Good, the Bad and the Ugly in Cybersecurity – Week 35
The Good | Interpol Cracks Down on Cybercrime as U.S. Sanctions North Korean IT Scheme Interpol announced the arrest of over 1200 suspects in Operation Serengeti 2.0, a three-month crackdown on cyberc ... Read more
-
SentinelOne
The Good, the Bad and the Ugly in Cybersecurity – Week 35
The Good | Interpol Cracks Down on Cybercrime as U.S. Sanctions North Korean IT Scheme Interpol announced the arrest of over 1200 suspects in Operation Serengeti 2.0, a three-month crackdown on cyberc ... Read more
-
The Hacker News
Salt Typhoon Exploits Cisco, Ivanti, Palo Alto Flaws to Breach 600 Organizations Worldwide
The China-linked advanced persistent threat (APT) actor known as Salt Typhoon has continued its attacks targeting networks across the world, including organizations in the telecommunications, governme ... Read more
-
Hackread - Latest Cybersecurity, Hacking News, Tech, AI & Crypto
UK and US Blame Three Chinese Tech Firms for Global Cyberattacks
A coalition of international cybersecurity agencies led by the UK’s National Cyber Security Centre (NCSC) has publicly linked three China-based technology companies to a long-running global cyberattac ... Read more
-
CybersecurityNews
CISA Publish Hunting and Mitigation Guide to Defend Networks from Chinese State-Sponsored Actors
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), alongside the NSA, FBI, and a broad coalition of international partners, has released a comprehensive cybersecurity advisory detailing ... Read more
-
The Register
If you thought China's Salt Typhoon was booted off critical networks, think again
China's Salt Typhoon cyberspies continue their years-long hacking campaign targeting critical industries around the world, according to a joint security alert from cyber and law enforcement agencies a ... Read more
-
Daily CyberSecurity
An Espionage System: NSA, CISA, & Partners Expose Chinese APT Groups
In a multinational alert, the U.S. National Security Agency (NSA), CISA, FBI, and partners from more than a dozen allied nations have released a Joint Cybersecurity Advisory (CSA) exposing how Chinese ... Read more
-
BleepingComputer
Global Salt Typhoon hacking campaigns linked to Chinese tech firms
The U.S. National Security Agency (NSA), the UK's National Cyber Security Centre (NCSC), and partners from over a dozen countries have linked the Salt Typhoon global hacking campaigns to three China-b ... Read more
-
BleepingComputer
Chinese hackers breached National Guard to steal network configurations
The Chinese state-sponsored hacking group known as Salt Typhoon breached and remained undetected in a U.S. Army National Guard network for nine months in 2024, stealing network configuration files and ... Read more
-
Hackread - Latest Cybersecurity, Hacking News, Tech, AI & Crypto
Chinese Salt Typhoon Infiltrated US National Guard Network for Months
A sophisticated Chinese APT group, Salt Typhoon, successfully infiltrated the US state’s Army National Guard network for nearly a year, from March 2024 to December 2024. This breach, detailed in a Dep ... Read more
-
The Hacker News
Chinese Hackers Target Taiwan's Semiconductor Sector with Cobalt Strike, Custom Backdoors
The Taiwanese semiconductor industry has become the target of spear-phishing campaigns undertaken by three Chinese state-sponsored threat actors. "Targets of these campaigns ranged from organizations ... Read more
-
Dark Reading
Oh! Canada Added to List of Nations Targeted in Salt Typhoon Telecom Spree
Source: Mattia Dantonio via Alamy Stock PhotoCanada has confirmed that Salt Typhoon targeted one of its telecommunications companies in February via a Cisco flaw, adding it to the growing list of org ... Read more
-
The Hacker News
China-linked Salt Typhoon Exploits Critical Cisco Vulnerability to Target Canadian Telecom
Cyber Espionage / Chinese Hackers The Canadian Centre for Cyber Security and the U.S. Federal Bureau of Investigation (FBI) have issued an advisory warning of cyber attacks mounted by the China-linked ... Read more
-
Hackread - Latest Cybersecurity, Hacking News, Tech, AI & Crypto
Salt Typhoon Targets Telecoms via Router Flaws, Warn FBI and Canada
A newly released advisory from the FBI and Canada’s Cyber Centre warns of an ongoing cyber espionage campaign by a China-linked group that is targeting telecom networks worldwide. The report, issued J ... Read more
-
Ars Technica
Canadian telecom hacked by suspected China state group
Hackers suspected of working on behalf of the Chinese government exploited a maximum-severity vulnerability, which had received a patch 16 months earlier, to compromise a telecommunications provider i ... Read more
-
BleepingComputer
Canada says Salt Typhoon hacked telecom firm via Cisco flaw
The Canadian Centre for Cyber Security and the FBI confirm that the Chinese state-sponsored 'Salt Typhoon' hacking group is also targeting Canadian telecommunication firms, breaching a telecom provide ... Read more
-
databreaches.net
People’s Republic of China cyber threat activity: Cyber Threat Bulletin
From the Canadian Centre for Cyber Security: The Canadian Centre for Cyber Security (Cyber Centre) and the United States’ Federal Bureau of Investigation (FBI) are warning Canadians of the threat pose ... Read more
-
security.nl
Canadese overheid meldt aanval op telecombedrijf via bekend Cisco-lek
Een Canadees telecombedrijf is afgelopen februari gecompromitteerd via een bekende kwetsbaarheid in Cisco IOS XE waarvoor sinds oktober 2023 beveiligingsupdates beschikbaar zijn. Al voor het uitkomen ... Read more
-
Cyber Security News
23 Vulnerabilities in Black Basta’s Chat Logs Exploited in the Wild, Including PAN-OS, Cisco IOS, & Exchange
GreyNoise has confirmed active exploitation of 23 out of 62 vulnerabilities referenced in internal chat logs attributed to the Black Basta ransomware group. These vulnerabilities span enterprise softw ... Read more
The following table lists the changes that have been made to the
CVE-2023-20198 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Reanalysis by [email protected]
May. 15, 2025
Action Type Old Value New Value Added CPE Configuration AND OR *cpe:2.3:o:rockwellautomation:allen-bradley_stratix_5200_firmware:*:*:*:*:*:*:*:* versions up to (excluding) 17.12.02 OR cpe:2.3:h:rockwellautomation:allen-bradley_stratix_5200:-:*:*:*:*:*:*:* Added CPE Configuration AND OR *cpe:2.3:o:rockwellautomation:allen-bradley_stratix_5800_firmware:*:*:*:*:*:*:*:* versions up to (excluding) 17.12.02 OR cpe:2.3:h:rockwellautomation:allen-bradley_stratix_5800:-:*:*:*:*:*:*:* -
Modified Analysis by [email protected]
Apr. 03, 2025
Action Type Old Value New Value -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Nov. 21, 2024
Action Type Old Value New Value Added Reference https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z -
Modified Analysis by [email protected]
Jun. 17, 2024
Action Type Old Value New Value Removed CWE NIST NVD-CWE-noinfo Added CWE NIST NVD-CWE-Other -
CVE Modified by [email protected]
May. 14, 2024
Action Type Old Value New Value -
CVE Modified by [email protected]
Jan. 25, 2024
Action Type Old Value New Value Removed Reference Cisco Systems, Inc. http://packetstormsecurity.com/files/175674/Cisco-IOX-XE-Unauthenticated-Remote-Code-Execution.html Added CWE Cisco Systems, Inc. CWE-420 -
Reanalysis by [email protected]
Nov. 15, 2023
Action Type Old Value New Value Changed Reference Type http://packetstormsecurity.com/files/175674/Cisco-IOX-XE-Unauthenticated-Remote-Code-Execution.html Exploit, Third Party Advisory http://packetstormsecurity.com/files/175674/Cisco-IOX-XE-Unauthenticated-Remote-Code-Execution.html Exploit, Third Party Advisory, VDB Entry -
Modified Analysis by [email protected]
Nov. 15, 2023
Action Type Old Value New Value Changed Reference Type http://packetstormsecurity.com/files/175674/Cisco-IOX-XE-Unauthenticated-Remote-Code-Execution.html No Types Assigned http://packetstormsecurity.com/files/175674/Cisco-IOX-XE-Unauthenticated-Remote-Code-Execution.html Exploit, Third Party Advisory Changed CPE Configuration OR *cpe:2.3:o:cisco:ios_xe:*:*:*:*:*:*:*:* versions up to (excluding) 17.9.4a OR *cpe:2.3:o:cisco:ios_xe:*:*:*:*:*:*:*:* versions from (including) 16.12 up to (excluding) 16.12.10a *cpe:2.3:o:cisco:ios_xe:*:*:*:*:*:*:*:* versions from (including) 17.3 up to (excluding) 17.3.8a *cpe:2.3:o:cisco:ios_xe:*:*:*:*:*:*:*:* versions from (including) 17.6 up to (excluding) 17.6.6a *cpe:2.3:o:cisco:ios_xe:*:*:*:*:*:*:*:* versions from (including) 17.9 up to (excluding) 17.9.4a -
CVE Modified by [email protected]
Nov. 14, 2023
Action Type Old Value New Value Added Reference Cisco Systems, Inc. http://packetstormsecurity.com/files/175674/Cisco-IOX-XE-Unauthenticated-Remote-Code-Execution.html [No types assigned] -
CVE Modified by [email protected]
Nov. 07, 2023
Action Type Old Value New Value Changed Description Cisco is aware of active exploitation of a previously unknown vulnerability in the web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks. This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system. For steps to close the attack vector for this vulnerability, see the Recommendations section of this advisory Cisco will provide updates on the status of this investigation and when a software patch is available. Cisco is providing an update for the ongoing investigation into observed exploitation of the web UI feature in Cisco IOS XE Software. We are updating the list of fixed releases and adding the Software Checker. Our investigation has determined that the actors exploited two previously unknown issues. The attacker first exploited CVE-2023-20198 to gain initial access and issued a privilege 15 command to create a local user and password combination. This allowed the user to log in with normal user access. The attacker then exploited another component of the web UI feature, leveraging the new local user to elevate privilege to root and write the implant to the file system. Cisco has assigned CVE-2023-20273 to this issue. CVE-2023-20198 has been assigned a CVSS Score of 10.0. CVE-2023-20273 has been assigned a CVSS Score of 7.2. Both of these CVEs are being tracked by CSCwh87343. Removed Reference Cisco Systems, Inc. https://arstechnica.com/security/2023/10/actively-exploited-cisco-0-day-with-maximum-10-severity-gives-full-network-control/ Removed Reference Cisco Systems, Inc. https://www.darkreading.com/vulnerabilities-threats/critical-unpatched-cisco-zero-day-bug-active-exploit Removed Reference Cisco Systems, Inc. https://www.cisa.gov/guidance-addressing-cisco-ios-xe-web-ui-vulnerabilities -
CVE Modified by [email protected]
Oct. 25, 2023
Action Type Old Value New Value Added Reference https://www.cisa.gov/guidance-addressing-cisco-ios-xe-web-ui-vulnerabilities [No Types Assigned] -
Initial Analysis by [email protected]
Oct. 24, 2023
Action Type Old Value New Value Added CVSS V3.1 NIST AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Changed Reference Type https://arstechnica.com/security/2023/10/actively-exploited-cisco-0-day-with-maximum-10-severity-gives-full-network-control/ No Types Assigned https://arstechnica.com/security/2023/10/actively-exploited-cisco-0-day-with-maximum-10-severity-gives-full-network-control/ Press/Media Coverage, Third Party Advisory Changed Reference Type https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z No Types Assigned https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z Mitigation, Vendor Advisory Changed Reference Type https://www.darkreading.com/vulnerabilities-threats/critical-unpatched-cisco-zero-day-bug-active-exploit No Types Assigned https://www.darkreading.com/vulnerabilities-threats/critical-unpatched-cisco-zero-day-bug-active-exploit Third Party Advisory Added CWE NIST NVD-CWE-noinfo Added CPE Configuration OR *cpe:2.3:o:cisco:ios_xe:*:*:*:*:*:*:*:* versions up to (excluding) 17.9.4a -
CVE Modified by [email protected]
Oct. 16, 2023
Action Type Old Value New Value Added Reference https://www.darkreading.com/vulnerabilities-threats/critical-unpatched-cisco-zero-day-bug-active-exploit [No Types Assigned] -
CVE Modified by [email protected]
Oct. 16, 2023
Action Type Old Value New Value Added Reference https://arstechnica.com/security/2023/10/actively-exploited-cisco-0-day-with-maximum-10-severity-gives-full-network-control/ [No Types Assigned]
Vulnerability Scoring Details
Base CVSS Score: 10
Exploit Prediction
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days.
94.09 }} -0.06%
score
0.99899
percentile