cbcvebase.
CVE-2023-20198
published 2023-10-16

CVE-2023-20198: Cisco is providing an update for the ongoing investigation into observed exploitation of the web UI feature in Cisco IOS XE Software. We are updating the list…

PriorityP1100critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2023-10-20
Exploited in the wild
EPSS
99.57%
99.9th percentile
Cisco is providing an update for the ongoing investigation into observed exploitation of the web UI feature in Cisco IOS XE Software. We are updating the list of fixed releases and adding the Software Checker. Our investigation has determined that the actors exploited two previously unknown issues. The attacker first exploited CVE-2023-20198 to gain initial access and issued a privilege 15 command to create a local user and password combination. This allowed the user to log in with normal user access. The attacker then exploited another component of the web UI feature, leveraging the new local user to elevate privilege to root and write the implant to the file system. Cisco has assigned CVE-2023-20273 to this issue. CVE-2023-20198 has been assigned a CVSS Score of 10.0. CVE-2023-20273 has been assigned a CVSS Score of 7.2. Both of these CVEs are being tracked by CSCwh87343.

Affected

193 ranges· showing 25
VendorProductVersion rangeFixed in
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software

Detection & IOCsextracted from sources · hover to see the quote

commandclear logging
commandno username cisco_support
commandno username cisco_tac_admin
commandno username cisco_sys_manager
  • Monitor for log clearing commands ('clear logging') and removal of local usernames via 'no username' commands on IOS XE devices, which indicate attacker defense evasion activity post-exploitation.
  • The BadCandy implant is not persistent and is removed on device reboot, but attacker-created level-15 user accounts survive reboots — incident response should audit local user accounts even after rebooting.
  • GreyNoise observed 110 malicious IPs actively exploiting CVE-2023-20198, primarily geolocated to Bulgaria, Brazil, and Singapore — use GreyNoise tag/blocklist for real-time IP blocking.
  • ·The BadCandy implant requires the web server to be restarted to become active; in at least one observed case the server was not restarted so the implant never became active despite being installed.
  • ·The 18-character and 40-character hexadecimal strings hardcoded in the BadCandy implant are unique per device in most cases, but were observed to be the same across different devices in some instances — do not rely on a single static hash value for detection.
  • ·CVE-2021-1435 was initially associated with this activity but was later removed; only CVE-2023-20198 and CVE-2023-20273 are confirmed to be exploited in this attack chain.
  • ·The second version of BadCandy checks for an HTTP Authorization header before responding, which caused a sharp decline in visibility of infected systems using prior curl-based detection methods — update detection queries accordingly.

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vulncheck10.0CRITICAL
cisa10.0CRITICAL
vendor_cisco10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.