CVE-2023-20273
published 2023-10-25CVE-2023-20273: A vulnerability in the web UI feature of Cisco IOS XE Software could allow an authenticated, remote attacker to inject commands with the privileges of root…
PriorityP188high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2023-10-27
Exploited in the wild
EPSS
89.63%
99.8th percentile
A vulnerability in the web UI feature of Cisco IOS XE Software could allow an authenticated, remote attacker to inject commands with the privileges of root. This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending crafted input to the web UI. A successful exploit could allow the attacker to inject commands to the underlying operating system with root privileges.
Affected
378 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cisco | cisco_ios_xe_software | — | — |
| cisco | cisco_ios_xe_software | — | — |
| cisco | cisco_ios_xe_software | — | — |
| cisco | cisco_ios_xe_software | — | — |
| cisco | cisco_ios_xe_software | — | — |
| cisco | cisco_ios_xe_software | — | — |
| cisco | cisco_ios_xe_software | — | — |
| cisco | cisco_ios_xe_software | — | — |
| cisco | cisco_ios_xe_software | — | — |
| cisco | cisco_ios_xe_software | — | — |
| cisco | cisco_ios_xe_software | — | — |
| cisco | cisco_ios_xe_software | — | — |
| cisco | cisco_ios_xe_software | — | — |
| cisco | cisco_ios_xe_software | — | — |
| cisco | cisco_ios_xe_software | — | — |
| cisco | cisco_ios_xe_software | — | — |
| cisco | cisco_ios_xe_software | — | — |
| cisco | cisco_ios_xe_software | — | — |
| cisco | cisco_ios_xe_software | — | — |
| cisco | cisco_ios_xe_software | — | — |
| cisco | cisco_ios_xe_software | — | — |
| cisco | cisco_ios_xe_software | — | — |
| cisco | cisco_ios_xe_software | — | — |
| cisco | cisco_ios_xe_software | — | — |
| cisco | cisco_ios_xe_software | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →A second version of the BadCandy implant added a check for the HTTP Authorization header before responding, used to evade detection by curl-based scanning. Absence of a response without an Authorization header on a previously responding device may indicate the updated implant is present. ↗
- →Newly created local user accounts with privilege level 15 persisting after reboots are an indicator of compromise from CVE-2023-20198 exploitation. Look for unexpected usernames such as 'cisco_tac_admin', 'cisco_support', and 'cisco_sys_manager'. ↗
- →The BadCandy implant is non-persistent and removed on reboot, but its presence can be checked via the file path /usr/binos/conf/nginx-conf/cisco_service.conf on the device filesystem. ↗
- →Fox-IT found that the implant on compromised devices was modified to check for an Authorization HTTP header value before responding; use an alternative scanning method (not relying on unauthenticated curl) to detect the updated implant on IOS XE devices with web UI exposed. ↗
- →CVE-2023-20273 is exploitable only when the HTTP Server feature is enabled on the device. Detect exposure by checking for 'ip http server' or 'ip http secure-server' in the running configuration. ↗
- ·CVE-2023-20273 is only exploitable after CVE-2023-20198 has been used to create a local user account; it requires an authenticated attacker (the newly created user) to perform command injection for root-level implant installation. ↗
- ·Both CVE-2023-20198 and CVE-2023-20273 are tracked under a single Cisco bug ID (CSCwh87343); patches began rolling out October 22, 2023, with the first fixed release being 17.9.4a. ↗
- ·The BadCandy implant's 18-character and 40-character hardcoded hex strings are unique per device in most observed cases, suggesting per-device authentication tokens; however, in some cases the same strings were observed across different devices. ↗
- ·The implant requires a web server restart to become active; in at least one observed case the server was not restarted so the implant never became active despite being installed. ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vulncheck7.2HIGH
cisa7.2HIGH
vendor_cisco10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Rockwell Automation Stratix 5800 and Stratix 5200 (Update A)
cisa_ics·2023-11-21·CVSS 10.0
[CRITICAL] Rockwell Automation Stratix 5800 and Stratix 5200 (Update A)
ICS Advisory
##
Rockwell Automation Stratix 5800 and Stratix 5200 (Update A)
Last RevisedNovember 21, 2023
Alert CodeICSA-23-297-01
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v3 10.0
- ATTENTION: Exploitable remotely/low attack complexity/known public exploitation
- Vendor: Rockwell Automation
- Equipment: Stratix 5800 and Stratix 5200
- Vulnerabilities: Unprotected Alternate Channel, OS Command Injection
## 2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an unauthenticated attacker to take control of the affected system.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
The following versions of Stratix products and the contained Cisco IOS software are affected:
- Stratix 5800 (running Cisco IOS XE Software with the Web UI fe
CISA
Cisco IOS XE Web UI Command Injection Vulnerability
cisa·2023-10-23·CVSS 7.2
CVE-2023-20273 [HIGH] CWE-78 Cisco IOS XE Web UI Command Injection Vulnerability
Vulnerability: Cisco IOS XE Web UI Command Injection Vulnerability
Affected: Cisco Cisco IOS XE Web UI
Cisco IOS XE contains a command injection vulnerability in the web user interface. When chained with CVE-2023-20198, the attacker can leverage the new local user to elevate privilege to root and write the implant to the file system. Cisco identified CVE-2023-20273 as the vulnerability exploited to deploy the implant. CVE-2021-1435, previously associated with the exploitation events, is no longer believed to be related to this activity.
Required Action: Verify that instances of Cisco IOS XE Web UI are in compliance with BOD 23-02 and apply mitigations per vendor instructions. For affected products (Cisco IOS XE Web UI exposed to the internet or to untrusted networks), follow vendor instr
Cisco
Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature
vendor_cisco·2023-10-16·CVSS 10.0
CVE-2023-20198 [CRITICAL] CWE-420 Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature
Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature
Cisco is providing an update for the ongoing investigation into observed exploitation of the web UI feature in Cisco IOS XE Software. We are updating the list of fixed releases and adding the Software Checker.
Fix information can be found in the Fixed Software section of this advisory.
Our investigation has determined that the actors exploited two previously unknown issues.
The attacker first exploited CVE-2023-20198 to gain initial access and issued a privilege 15 command to create a local user and password combination. This allowed the user to log in with normal user access.
The attacker then exploited another component of the web UI feature, leveraging the new local user to elevate privilege to root and write the implant
Cisco
Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature
vendor_cisco·CVSS 3.1
CVE-2023-20198 Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature
CVE-2023-20198: Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature
Cisco is providing an update for the ongoing investigation into observed exploitation of the web UI feature in Cisco IOS XE Software. We are updating the list of fixed releases and adding the Software Checker. Fix information can be found in the Fixed Software section of this advisory. Our investigation has determined that the actors exploited two previously unknown issues. The attacker first exploited CVE-2023-20198 to gain initial access and issued a privilege 15 command to create a local user and password combination. This allowed the user to log in with normal user access. The attacker then exploited another component of the web UI feature, leveraging the new local user to elevate privilege to root and wri
Cisco
Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature
vendor_cisco·CVSS 3.1
CVE-2023-20273 Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature
CVE-2023-20273: Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature
Cisco is providing an update for the ongoing investigation into observed exploitation of the web UI feature in Cisco IOS XE Software. We are updating the list of fixed releases and adding the Software Checker. Fix information can be found in the Fixed Software section of this advisory. Our investigation has determined that the actors exploited two previously unknown issues. The attacker first exploited CVE-2023-20198 to gain initial access and issued a privilege 15 command to create a local user and password combination. This allowed the user to log in with normal user access. The attacker then exploited another component of the web UI feature, leveraging the new local user to elevate privilege to root and wri
GHSA
GHSA-xm3x-5hpf-5369: A vulnerability in the web UI feature of Cisco IOS XE Software could allow an authenticated, remote attacker to inject commands with the privileges of
ghsa_unreviewed·2023-10-25
CVE-2023-20273 [HIGH] CWE-78 GHSA-xm3x-5hpf-5369: A vulnerability in the web UI feature of Cisco IOS XE Software could allow an authenticated, remote attacker to inject commands with the privileges of
A vulnerability in the web UI feature of Cisco IOS XE Software could allow an authenticated, remote attacker to inject commands with the privileges of root.
This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending crafted input to the web UI. A successful exploit could allow the attacker to inject commands to the underlying operating system with root privileges.
VulnCheck
Cisco IOS XE Web UI Command Injection Vulnerability
vulncheck·2023·CVSS 7.2
CVE-2023-20273 [HIGH] CWE-78 Cisco IOS XE Web UI Command Injection Vulnerability
Cisco IOS XE Web UI Command Injection Vulnerability
Cisco IOS XE contains a command injection vulnerability in the web user interface. When chained with CVE-2023-20198, the attacker can leverage the new local user to elevate privilege to root and write the implant to the file system. Cisco identified CVE-2023-20273 as the vulnerability exploited to deploy the implant. CVE-2021-1435, previously associated with the exploitation events, is no longer believed to be related to this activity.
Affected: Cisco IOS XE Web UI
Required Action: Verify that instances of Cisco IOS XE Web UI are in compliance with BOD 23-02 and apply mitigations per vendor instructions. For affected products (Cisco IOS XE Web UI exposed to the internet or to untrusted networks), follow vendor instructions to determine
Suricata
ET EXPLOIT Cisco IOS XE Web UI Command Injection Vulnerability (CVE-2023-20273)
suricata·2023-11-01·CVSS 7.2
CVE-2023-20273 [HIGH] ET EXPLOIT Cisco IOS XE Web UI Command Injection Vulnerability (CVE-2023-20273)
ET EXPLOIT Cisco IOS XE Web UI Command Injection Vulnerability (CVE-2023-20273)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco IOS XE Web UI Command Injection Vulnerability (CVE-2023-20273)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/webui/rest/softwareMgmt/installAdd"; startswith; nocase; fast_pattern; http.cookie; content:"Auth="; startswith; http.header_names; to_lowercase; content:"|0d 0a|x-csrf-token|0d 0a|"; nocase; http.request_body; content:"|22|ipaddress|22|"; nocase; content:"|22|"; within:5; content:"|3a|"; within:5; content:"|3a|"; within:5; content:"|3a|"; within:5; pcre:"/^.{0,5}(?:[\x60\x3b\x7c\x26]|%60|%3b|%7c|%26|(?:[\x3c\x3e\x24]|%3c|%3e|%24)(?:\x28|%28))/R"; reference:url,blog.leakix.net/2023/10/cisco-
Metasploit
Cisco IOX XE unauthenticated OS command execution
metasploit·CVSS 10.0
CVE-2023-20198 [CRITICAL] Cisco IOX XE unauthenticated OS command execution
Cisco IOX XE unauthenticated OS command execution
This module leverages both CVE-2023-20198 and CVE-2023-20273 against vulnerable instances of Cisco IOS XE devices which have the Web UI exposed. An attacker can execute arbitrary OS commands with root privileges. This module leverages CVE-2023-20198 to create a new admin user, then authenticating as this user, CVE-2023-20273 is leveraged for OS command injection. The output of the command is written to a file and read back via the webserver. Finally the output file is deleted and the admin user is removed. The vulnerable IOS XE versions are: 16.1.1, 16.1.2, 16.1.3, 16.2.1, 16.2.2, 16.3.1, 16.3.2, 16.3.3, 16.3.1a, 16.3.4, 16.3.5, 16.3.5b, 16.3.6, 16.3.7, 16.3.8, 16.3.9, 16.3.10, 16.3.11, 16.4.1, 16.4.2, 16.4.3, 16.5.1, 16.5.1a, 16.5.1b, 16.
Metasploit
Cisco IOX XE Unauthenticated RCE Chain
metasploit·CVSS 10.0
CVE-2023-20198 [CRITICAL] Cisco IOX XE Unauthenticated RCE Chain
Cisco IOX XE Unauthenticated RCE Chain
This module leverages both CVE-2023-20198 and CVE-2023-20273 against vulnerable instances of Cisco IOS XE devices which have the Web UI exposed. An attacker can execute a payload with root privileges. The vulnerable IOS XE versions are: 16.1.1, 16.1.2, 16.1.3, 16.2.1, 16.2.2, 16.3.1, 16.3.2, 16.3.3, 16.3.1a, 16.3.4, 16.3.5, 16.3.5b, 16.3.6, 16.3.7, 16.3.8, 16.3.9, 16.3.10, 16.3.11, 16.4.1, 16.4.2, 16.4.3, 16.5.1, 16.5.1a, 16.5.1b, 16.5.2, 16.5.3, 16.6.1, 16.6.2, 16.6.3, 16.6.4, 16.6.5, 16.6.4s, 16.6.4a, 16.6.5a, 16.6.6, 16.6.5b, 16.6.7, 16.6.7a, 16.6.8, 16.6.9, 16.6.10, 16.7.1, 16.7.1a, 16.7.1b, 16.7.2, 16.7.3, 16.7.4, 16.8.1, 16.8.1a, 16.8.1b, 16.8.1s, 16.8.1c, 16.8.1d, 16.8.2, 16.8.1e, 16.8.3, 16.9.1, 16.9.2, 16.9.1a, 16.9.1b, 16.9.1s, 16.9.1c, 16.
Tenable
Inside the customer environment: Where threat actors, vulnerabilities, and exposed assets intersect
blogs_tenable·2026-05-27
CVE-2023-4966 Inside the customer environment: Where threat actors, vulnerabilities, and exposed assets intersect
## Exposure Management
## Explore By Use Case
## Explore By Industry
## Tenable is the one clear leader in Exposure Management
## Exposure management
resource center
## Accelerate your exposure management strategy with practical resources and tools.
## Explore By Use Case
## Explore By Industry
## Tenable is the one clear leader in Exposure Management
## Exposure management
resource center
## Accelerate your exposure management strategy with practical resources and tools.
## Inside the customer environment: Where threat actors, vulnerabilities, and exposed assets intersect
Tenable Research has developed a graph-based model linking 600+ threat groups to real-world customer exposures. It reveals which vulnerabilities sit at the intersection of severity, active exploit
Tenable
Cybersecurity Snapshot: Expert Advice for Securing Critical Infrastructure’s OT and Industrial Control Systems, IoT Devices and Network Infrastructure
blogs_tenable·2025-09-05
Cybersecurity Snapshot: Expert Advice for Securing Critical Infrastructure’s OT and Industrial Control Systems, IoT Devices and Network Infrastructure
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Chinese State-Sponsored Actors Compromising Global Networks
blogs_tenable·2025-08-29
Chinese State-Sponsored Actors Compromising Global Networks
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Cybersecurity Snapshot: Agentic AI Security in Focus With Anthropic’s Chilling Abuse Disclosure and CSA’s New Identity Protection Framework
blogs_tenable·2025-08-29
Cybersecurity Snapshot: Agentic AI Security in Focus With Anthropic’s Chilling Abuse Disclosure and CSA’s New Identity Protection Framework
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
Global Salt Typhoon hacking campaigns linked to Chinese tech firms
blogs_bleepingcomputer·2025-08-27·CVSS 9.8
[CRITICAL] Global Salt Typhoon hacking campaigns linked to Chinese tech firms
## Global Salt Typhoon hacking campaigns linked to Chinese tech firms
## Lawrence Abrams
The U.S. National Security Agency (NSA), the UK's National Cyber Security Centre (NCSC), and partners from over a dozen countries have linked the Salt Typhoon global hacking campaigns to three China-based technology firms.
According to the joint advisories [ NSA , NCSC ], Sichuan Juxinhe Network Technology Co. Ltd., Beijing Huanyu Tianqiong Information Technology Co., and Sichuan Zhixin Ruijie Network Technology Co. Ltd. have provided cyber products and services to China's Ministry of State Security and the People's Liberation Army, enabling cyber espionage operations tracked as Salt Typhoon.
Since at least 2021, the Chinese threat actors have breached government, telecommunications, transportation
Bleepingcomputer
Chinese hackers breached National Guard to steal network configurations
blogs_bleepingcomputer·2025-07-17
Chinese hackers breached National Guard to steal network configurations
## Chinese hackers breached National Guard to steal network configurations
## Lawrence Abrams
The Chinese state-sponsored hacking group known as Salt Typhoon breached and remained undetected in a U.S. Army National Guard network for nine months in 2024, stealing network configuration files and administrator credentials that could be used to compromise other government networks.
Salt Typhoon is a Chinese state-sponsored hacking group that is believed to be affiliated with China's Ministry of State Security (MSS) intelligence agency. The hacking group has gained notoriety over the past two years for its wave of attacks on telecommunications and broadband providers worldwide, including AT&T, Verizon, Lumen , Charter, Windstream , and Viasat .
The goal of some of these attacks was to gain
Greynoiseio
GreyNoise Observes Active Exploitation of Cisco Vulnerabilities Tied to Salt Typhoon Attacks
blogs_greynoiseio·2025-02-24·CVSS 9.8
[CRITICAL] GreyNoise Observes Active Exploitation of Cisco Vulnerabilities Tied to Salt Typhoon Attacks
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Talos
Weathering the storm: In the midst of a Typhoon
blogs_talos·2025-02-20·CVSS 9.8
[CRITICAL] Weathering the storm: In the midst of a Typhoon
## Weathering the storm: In the midst of a Typhoon
## Summary
Cisco Talos has been closely monitoring reports of widespread intrusion activity against several major U.S. telecommunications companies. The activity, initially reported in late 2024 and later confirmed by the U.S. government, is being carried out by a highly sophisticated threat actor dubbed Salt Typhoon. This blog highlights our observations on this campaign and identifies recommendations for detection and prevention of the actor’s activities.
Public reporting has indicated that the threat actor was able to gain access to core networking infrastructure in several instances and then use that infrastructure to collect a variety of information. There was only one case in which we found evidence suggesting that a Cisco vulnera
Talos
Weathering the storm: In the midst of a Typhoon
blogs_talos·2025-02-20·CVSS 9.8
[CRITICAL] Weathering the storm: In the midst of a Typhoon
## Summary
Cisco Talos has been closely monitoring reports of widespread intrusion activity against several major U.S. telecommunications companies. The activity, initially reported in late 2024 and later confirmed by the U.S. government, is being carried out by a highly sophisticated threat actor dubbed Salt Typhoon. This blog highlights our observations on this campaign and identifies recommendations for detection and prevention of the actor’s activities.
Public reporting has indicated that the threat actor was able to gain access to core networking infrastructure in several instances and then use that infrastructure to collect a variety of information. There was only one case in which we found evidence suggesting that a Cisco vulnerability (CVE-2018-0171) was likely abused. In all the
Bleepingcomputer
Chinese hackers breach more US telecoms via unpatched Cisco routers
blogs_bleepingcomputer·2025-02-14·CVSS 10.0
CVE-2023-20198 [CRITICAL] Chinese hackers breach more US telecoms via unpatched Cisco routers
## Chinese hackers breach more US telecoms via unpatched Cisco routers
## Sergiu Gatlan
China's Salt Typhoon hackers are still actively targeting telecoms worldwide and have breached more U.S. telecommunications providers via unpatched Cisco IOS XE network devices.
Recorded Future's Insikt Group threat research division states that the Chinese hacking group (tracked Salt Typhoon and RedMike) has exploited the CVE-2023-20198 privilege escalation and CVE-2023-20273 Web UI command injection vulnerabilities.
These ongoing attacks have already resulted in network breaches at multiple telecommunications providers, including a U.S. internet service provider (ISP), a U.S.-based affiliate of a U.K. telecommunications provider, a South African telecom provider, an Italian ISP, and a large Thaila
Tenable
Cybersecurity Snapshot: Five Eyes Rank 2023’s Most Frequently Exploited CVEs, While CSA Publishes Framework for AI System Audits
blogs_tenable·2024-11-15
Cybersecurity Snapshot: Five Eyes Rank 2023’s Most Frequently Exploited CVEs, While CSA Publishes Framework for AI System Audits
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
FBI, CISA, and NSA reveal most exploited vulnerabilities of 2023
blogs_bleepingcomputer·2024-11-12·CVSS 10.0
[CRITICAL] FBI, CISA, and NSA reveal most exploited vulnerabilities of 2023
## FBI, CISA, and NSA reveal most exploited vulnerabilities of 2023
## Sergiu Gatlan
The FBI, the NSA, and Five Eyes cybersecurity authorities have released a list of the top 15 routinely exploited vulnerabilities throughout last year, most of them first abused as zero-days.
A joint advisory published on Tuesday calls for organizations worldwide to immediately patch these security flaws and deploy patch management systems to minimize their networks' exposure to potential attacks.
"In 2023, malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks compared to 2022, allowing them to conduct cyber operations against higher-priority targets," the cybersecurity agencies warned .
"In 2023, the majority of the most frequently exploited vulnerabilities
Bleepingcomputer
Cisco says critical Unity Connection bug lets attackers get root
blogs_bleepingcomputer·2024-01-10·CVSS 7.3
CVE-2024-20272 [HIGH] Cisco says critical Unity Connection bug lets attackers get root
## Cisco says critical Unity Connection bug lets attackers get root
## Sergiu Gatlan
Cisco has patched a critical Unity Connection security flaw that can let unauthenticated attackers remotely gain root privileges on unpatched devices.
Unity Connection is a fully virtualized messaging and voicemail solution for email inboxes, web browsers, Cisco Jabber, Cisco Unified IP Phone, smartphones, or tablets with high availability and redundancy support.
The vulnerability (CVE-2024-20272) was found in the software's web-based management interface, and it allows attackers to execute commands on the underlying operating system by uploading arbitrary files to targeted and vulnerable systems.
"This vulnerability is due to a lack of authentication in a specific API and improper validation of user-
Bleepingcomputer
Cisco patches IOS XE zero-days used to hack over 50,000 devices
blogs_bleepingcomputer·2023-10-23·CVSS 10.0
CVE-2023-20198 [CRITICAL] Cisco patches IOS XE zero-days used to hack over 50,000 devices
## Cisco patches IOS XE zero-days used to hack over 50,000 devices
## Ionut Ilascu
Cisco has addressed the two vulnerabilities (CVE-2023-20198 and CVE-2023-20273) that hackers exploited to compromise tens of thousands of IOS XE devices over the past week.
The free software release comes after a threat actor leveraged the security issues as zero-days to compromise and take full control of more than 50,000 Cisco IOS XE hosts.
## Critical and medium-severity flaws
In an update to the original advisory, Cisco says that the first fixed software release is available from the company’s Software Download Center .
At the moment, the first fixed release available is 17.9.4a, with updates to roll out at a yet undisclosed date.
17.9
17.9.4a
Yes
17.6
17.6.6a
TBD
17.3
17.3.8a
TBD
16.12 (
Bleepingcomputer
Hackers update Cisco IOS XE backdoor to hide infected devices
blogs_bleepingcomputer·2023-10-22·CVSS 10.0
CVE-2023-20198 [CRITICAL] Hackers update Cisco IOS XE backdoor to hide infected devices
## Hackers update Cisco IOS XE backdoor to hide infected devices
## Lawrence Abrams
10/23/23 update added at the end explaining the cause of decreased detections.
The number of Cisco IOS XE devices detected with a malicious backdoor implant has plummeted from over 50,000 impacted devices to only a few hundred after the attackers updated the backdoor to hide infected systems from scans.
This week, Cisco warned that hackers exploited two zero-day vulnerabilities , CVE-2023-20198 and CVE-2023-20273, to hack over 50,000 Cisco IOS XE devices to create privileged user accounts and install a malicious LUA backdoor implant.
This LUA implant allows the threat actors to remotely execute commands at privilege level 15 , the highest privilege level on the device.
However, this implant does not i
Bleepingcomputer
Cisco discloses new IOS XE zero-day exploited to deploy malware implant
blogs_bleepingcomputer·2023-10-20·CVSS 7.2
CVE-2023-20273 [HIGH] Cisco discloses new IOS XE zero-day exploited to deploy malware implant
## Cisco discloses new IOS XE zero-day exploited to deploy malware implant
## Sergiu Gatlan
Cisco disclosed a new high-severity zero-day (CVE-2023-20273) today, actively exploited to deploy malicious implants on IOS XE devices compromised using the CVE-2023-20198 zero-day unveiled earlier this week.
The company said it found a fix for both vulnerabilities and estimates it will be released to customers via the Cisco Software Download Center over the weekend, starting October 22.
"Fixes for both CVE-2023-20198 and CVE-2023-20273 are estimated to be available on October 22. The CVE-2021-1435 that had previously been mentioned is no longer assessed to be associated with this activity," Cisco said today.
On Monday, Cisco disclosed that unauthenticated attackers have been exploiting the CVE
Talos
Active exploitation of Cisco IOS XE Software Web Management User Interface vulnerabilities
blogs_talos·2023-10-16·CVSS 7.2
[HIGH] Active exploitation of Cisco IOS XE Software Web Management User Interface vulnerabilities
## Active exploitation of Cisco IOS XE Software Web Management User Interface vulnerabilities
Updates
Nov. 02 : Identified a third version of the BadCandy implant. Added expected response from the new version of the implant against one of the HTTP requests used to check for infected device.
Nov. 1: Observed increase in exploitation attempts since the publication of the proofs-of-concept (POCs) of the exploits involved. Named the Lua-based web shell “BadCandy.”
Oct. 23: Identified an updated version of the implant. Provided new curl command to check for infected devices. Fixes for CVE-2023-20198 and CVE-2023-20273 started to roll out on Oct. 22.
Oct. 20: Identified an additional vulnerability (CVE-2023-20273) that is exploited to deploy the implant. Fixes for both CVE-2023-20198 and CV
Tenable
CVE-2023-20198: Zero-Day Vulnerability in Cisco IOS XE Exploited in the Wild
blogs_tenable·2023-10-16·CVSS 10.0
[CRITICAL] CVE-2023-20198: Zero-Day Vulnerability in Cisco IOS XE Exploited in the Wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Talos
Active exploitation of Cisco IOS XE Software Web Management User Interface vulnerabilities
blogs_talos·2023-10-16·CVSS 7.2
[HIGH] Active exploitation of Cisco IOS XE Software Web Management User Interface vulnerabilities
Updates
Nov. 02: Identified a third version of the BadCandy implant. Added expected response from the new version of the implant against one of the HTTP requests used to check for infected device.
Nov. 1: Observed increase in exploitation attempts since the publication of the proofs-of-concept (POCs) of the exploits involved. Named the Lua-based web shell “BadCandy.”
Oct. 23: Identified an updated version of the implant. Provided new curl command to check for infected devices. Fixes for CVE-2023-20198 and CVE-2023-20273 started to roll out on Oct. 22.
Oct. 20: Identified an additional vulnerability (CVE-2023-20273) that is exploited to deploy the implant. Fixes for both CVE-2023-20198 and CVE-2023-20273 are estimated to be available on Oct. 22. The CVE-2021-1435 that had previously bee
Recorded Future
Recorded Future Briefing | Munich Security Conference 2025 Insights by Insikt Group
blogs_recorded_future
Recorded Future Briefing | Munich Security Conference 2025 Insights by Insikt Group
## Munich Security Conference
## Insikt Group Briefing - February 13th 2025
## Overview
This document provides an overview of Recorded Future’s Insikt Group intelligence reporting and analysis published during the 2025 Munich Security Conference. Links to the full reports are included.
## Subject
Adversarial Actors — China, Russia, Iran, and North Korea — are adapting to and exploiting Western openness and fragmentation through hostile cyber, economic, and military actions.
## Reporting and Analysis
The Risk of a Taiwan Invasion Is Rising Fast
Russian Influence Operations Target German Elections
RedMike (Salt Typhoon) Exploits Vulnerable Cisco Devices of Global Telecommunications Providers
Inside the Scam: North Koreaʼs IT Worker Threat
## The Risk of a Taiwan Invasion Is Rising
Recorded Future
RedMike Cyber Attack on Cisco Devices in Telecommunications
blogs_recorded_future·CVSS 10.0
[CRITICAL] RedMike Cyber Attack on Cisco Devices in Telecommunications
## RedMike (Salt Typhoon) Exploits Cisco Vulnerabilities for Cyber Espionage
## RedMike (Salt Typhoon) Targets Cisco Telecom Networks
Between December 2024 and January 2025, Recorded Future’s Insikt Group identified a campaign exploiting unpatched internet-facing Cisco network devices primarily associated with global telecommunications providers. Victim organizations included a United States-based affiliate of a United Kingdom-based telecommunications provider and a South African telecommunications provider. Insikt Group attributes this activity to the Chinese state-sponsored threat activity group tracked by Insikt Group as RedMike, which aligns with the Microsoft-named group Salt Typhoon. Using Recorded Future® Network Intelligence, Insikt Group observed RedMike target and exploit unpat
Greynoiseio
The Fourth Day Of Tagsmas (2023): A Critical Weakness In Cisco IOS XE (CVE-2023-20198)
blogs_greynoiseio·CVSS 10.0
[CRITICAL] The Fourth Day Of Tagsmas (2023): A Critical Weakness In Cisco IOS XE (CVE-2023-20198)
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
Unpacking CVE-2023-20198: A Critical Weakness In Cisco IOS XE:
blogs_greynoiseio·CVSS 10.0
[CRITICAL] Unpacking CVE-2023-20198: A Critical Weakness In Cisco IOS XE:
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Recorded Future
Recorded Future Briefing | Munich Security Conference 2025 Insights by Insikt Group
blogs_recorded_future
Recorded Future Briefing | Munich Security Conference 2025 Insights by Insikt Group
# Munich Security Conference
##### Insikt Group Briefing - February 13th 2025
### Overview
This document provides an overview of Recorded Future’s Insikt Group intelligence reporting and analysis published during the 2025 Munich Security Conference. Links to the full reports are included.
### Subject
Adversarial Actors — China, Russia, Iran, and North Korea — are adapting to and exploiting Western openness and fragmentation through hostile cyber, economic, and military actions.
### Reporting and Analysis
1. The Risk of a Taiwan Invasion Is Rising Fast
2. Russian Influence Operations Target German Elections
3. RedMike (Salt Typhoon) Exploits Vulnerable Cisco Devices of Global Telecommunications Providers
4. Inside the Scam: North Koreaʼs IT Worker Threat
### The Risk of a Taiwan Inva
Recorded Future
RedMike Cyber Attack on Cisco Devices in Telecommunications
blogs_recorded_future·CVSS 10.0
[CRITICAL] RedMike Cyber Attack on Cisco Devices in Telecommunications
# RedMike (Salt Typhoon) Exploits Cisco Vulnerabilities for Cyber Espionage
## RedMike (Salt Typhoon) Targets Cisco Telecom Networks
Between December 2024 and January 2025, Recorded Future’s Insikt Group identified a campaign exploiting unpatched internet-facing Cisco network devices primarily associated with global telecommunications providers. Victim organizations included a United States-based affiliate of a United Kingdom-based telecommunications provider and a South African telecommunications provider. Insikt Group attributes this activity to the Chinese state-sponsored threat activity group tracked by Insikt Group as RedMike, which aligns with the Microsoft-named group Salt Typhoon. Using Recorded Future® Network Intelligence, Insikt Group observed RedMike target and exploit unpatc
HackerOne
Cisco IOS XE instance at ████ vulnerable to CVE-██████
hackerone·2025-02-19·CVSS 7.2
CVE-2023-20273 [HIGH] Cisco IOS XE instance at ████ vulnerable to CVE-██████
Cisco IOS XE instance at ████ vulnerable to CVE-██████
## Summary:
CVE-███████ is characterized by improper path validation to bypass Nginx filtering to reach the webui_wsma_http web endpoint without requiring authentication. By bypassing authentication to the endpoint, an attacker can execute arbitrary Cisco IOS commands or issue configuration changes with Privilege 15 privileges. Further attacks involved exploitation of CVE-2023-20273 to escalate to the underlying Linux OS root user to facilitate implantation.
This PoC exploits CVE-█████████ to leverage two different XML SOAP endpoints:
The vulnerability check, config, and command execution options all target the `cisco:wsma-exec` SOAP endpoint to insert commands into the `execCLI` element tag.
The add user option targets the `cisco:ws
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4zhttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4zhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-20273
2023-10-25
Published
2023-10-23
Added to CISA KEV
Exploited in the wild