⚠ Actively exploited
Added to CISA KEV on 2023-10-16. Federal agencies required to patch by 2023-10-20. Required action: Verify that instances of Cisco IOS XE Web UI are in compliance with BOD 23-02 and apply mitigations per vendor instructions. For affected products (Cisco IOS XE Web UI exposed to the internet or to untrusted networks), follow vendor instructions to determine if a system may have been compromised and immediately report positive findings to CISA..

CVE-2023-20198Cisco IOS XE: Unprotected Alternate Channel in Cisco IOS XE

CWE-420Unprotected Alternate ChannelCWE-78OS Command Injection42 documents14 sources
Severity
10.0CRITICALNVD
EPSS
94.0%
top 0.10%
CISA KEV
KEV
Added 2023-10-16
Due 2023-10-20
Exploit
Exploited in wild
Active exploitation observed
Affected products
4
Cisco IOS XERockwellautomation Allen-bradley Stratix 5200 FirmwareRockwellautomation Allen-bradley Stratix 5800 Firmware+1 more
Timeline
PublishedOct 16
KEV addedOct 16
KEV dueOct 20
Latest updateOct 31
CISA Required Action: Verify that instances of Cisco IOS XE Web UI are in compliance with BOD 23-02 and apply mitigations per vendor instructions. For affected products (Cisco IOS XE Web UI exposed to the internet or to untrusted networks), follow vendor instructions to determine if a system may have been compromised and immediately report positive findings to CISA.

Description

Cisco is providing an update for the ongoing investigation into observed exploitation of the web UI feature in Cisco IOS XE Software. We are updating the list of fixed releases and adding the Software Checker. Our investigation has determined that the actors exploited two previously unknown issues. The attacker first exploited CVE-2023-20198 to gain initial access and issued a privilege 15 command to create a local user and password combination. This allowed the user to log in with normal user a

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HExploitability: 3.9 | Impact: 6.0

Affected Packages4 packages

CVEListV5cisco/cisco_ios_xe_software186 versions+185
NVDcisco/ios_xe16.1216.12.10a+3

🔴Vulnerability Details

3
GHSA
GHSA-4xrf-pcxr-rf3c: Cisco is aware of active exploitation of a previously unknown vulnerability in the web UI feature of Cisco IOS XE Software when exposed to the interne2023-10-16
CVEList
CVE-2023-20198: Cisco is providing an update for the ongoing investigation into observed exploitation of the web UI feature in Cisco IOS XE Software2023-10-16
VulnCheck
Cisco IOS XE Web UI Privilege Escalation Vulnerability2023

💥Exploits & PoCs

4
Metasploit
Cisco IOX XE unauthenticated Command Line Interface (CLI) execution
Metasploit
Cisco IOX XE unauthenticated OS command execution
Nuclei
Cisco IOS XE Web UI - Command Injection
Metasploit
Cisco IOX XE Unauthenticated RCE Chain

🔍Detection Rules

15
Suricata
ET EXPLOIT Cisco IOS XE Web Server Implant Check (CVE-2023-20198) M32023-11-07
Suricata
ET INFO Cisco IOS XE Web Server Config Change in SOAP (CVE-2023-20198) (Outbound)2023-10-30
Suricata
ET INFO Cisco IOS XE Web Server Auth From Suspicious Username (cisco_support) (CVE-2023-20198) (Outbound)2023-10-30
Suricata
ET INFO Cisco IOS XE Web Server execCLI in SOAP (CVE-2023-20198) (Inbound)2023-10-30
Suricata
ET HUNTING Suspicious Cisco Privilege Level 15 in HTTP Header (Inbound)2023-10-30

📋Vendor Advisories

2
CISA
Cisco IOS XE Web UI Privilege Escalation Vulnerability2023-10-16
Cisco
Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature2023-10-16

🕵️Threat Intelligence

12
Bleepingcomputer
Australia warns of BadCandy infections on unpatched Cisco devices2025-10-31
Bleepingcomputer
Canada says Salt Typhoon hacked telecom firm via Cisco flaw2025-06-23
Bleepingcomputer
Chinese hackers breach more US telecoms via unpatched Cisco routers2025-02-14
Bleepingcomputer
Exploit released for critical Cisco IOS XE flaw, many hosts still hacked2023-10-30
Bleepingcomputer
Cisco patches IOS XE zero-days used to hack over 50,000 devices2023-10-23
CVE-2023-20198 — Cisco IOS XE | cvebase