Skip to main content
Need help with a cyber incident now?
Call 24/7: +31 88-2747800

Cisco IOS XE Web UI vulnerability

By 23 October 2023 CERT, SOC, Vulnerability

This live blog contains information regarding a vulnerability in Cisco IOS XE Web UI. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog. Last updated on October 23, 2023.

Update 23 October 2023

14:30 | Cisco has updated their security advisory. They have added a second vulnerability to the advisory which is registered as CVE-2023-20273. This vulnerability is used to deploy an implant after initial access provided by CVE-2023-20198. The implant provides a form of persistency to the attacker. Details regarding this implant and how to identify it have been published in the Cisco Security Advisory.

Both vulnerabilities (CVE-2023-20198 and CVE-2023-20273) are actively being exploited, and based on research, a significant number of exposed Cisco IOS XE system have the implant running. With details published about the implant, the attacker has likely changed the implant, causing existing detection techniques to fail.

Cisco has published software updates for affected systems running Cisco IOS XE version 17.9, fixing both vulnerabilities. Details can be found in the Cisco Security Advisory. Software updates for other versions will follow. Update to the following versions:

  • Version 17.9 update to 17.9.4a
  • Version 17.6 update to 17.6.6a – Not available yet
  • Version 17.3 update to 17.3.8a – Not available yet
  • Version 16.12 (Catalyst 3650 and 3850 only) update to 16.12.10a – Not available yet

Call to action

  • Apply the software updates when available. For details see the Cisco Security Advisory.
  • If no update is available yet, limit access to the http/https Web UI to trusted networks. Consider (temporarily) disabling the Web UI.
  • Consider the system compromised and inspect for indicators of compromise as described in the security advisory of Cisco in the chapter “Indicators of Compromise”.

If any suspicious or malicious activity is detected in relation to this article, please contact T-CERT. The Tesorion Computer Emergency Response Team offers specialist support 24/7. In emergencies, we immediately conduct an initial assessment by telephone and do all we can to get the situation under control as soon as possible.

Update 17 October 2023

13:30 | On the 16th of October, Cisco published a security advisory describing a vulnerability in the Web UI feature of Cisco IOS XE. The vulnerability is registered as CVE-2023-20198 and allows a remote unauthenticated attacker to create an account on the system with full admin access (level 15 access). The attacker can then use that account to gain control of the affected system. To exploit the vulnerability, the attacker needs access to the Web UI.

Exploitation of CVE-2023-20198 has been observed in the wild. There is no patch available. It is advised to disable the Web UI on HTTP and HTTPS or restrict access to the Web UI to trusted networks.

Reason and background of this blog

This blog contains information about vulnerabilities, the possible risk and advice on how to prevent or limit damage. Below are the possible risks, details and background information.

Vulnerability information

On the 16th of October, Cisco published a security advisory describing a vulnerability in the Web UI feature of Cisco IOS XE. The vulnerability is registered as CVE-2023-20198 and allows a remote unauthenticated attacker to create an account on the system with full admin access (level 15 access). The attacker can then use that account to gain control of the affected system. To exploit the vulnerability, the attacker needs access to the Web UI.

Exploitation of CVE-2023-20198 has been observed in the wild. There is no patch available. It is advised to disable the Web UI on HTTP and HTTPS or restrict access to the Web UI to trusted networks.

Potential Risk

The vulnerability CVE-2023-20198 has a CVSS score of 10. The CVSS scale runs from 0 to 10. A score of 9,8 is rare and implies a high risk of exploitation with high impact. The vulnerability allows a remote attacker to create an account on the system with full admin access (level 15 access). The attacker can then use the account to gain control of the affected system. To exploit the vulnerability, the attacker needs access to the Web UI.

Exploitation of CVE-2023-20198 has been observed in the wild, but exploit code is not publicly available. There is no patch available. It is advised to disable the Web UI on HTTP and HTTPS or restrict access to the Web UI to trusted networks.

Detail info

Cisco IOS XE is vulnerable to CVE-2023-20198. Cisco has not published any version information, and no patch is available at this moment. It is advised to disable the Web UI on HTTP and HTTPS or restrict access to the Web UI to trusted networks. We will write an update as soon as there is a patch available.

Cisco has published indicators of compromise (IOC) and it is advised to inspect potentially impacted devices for the presence of these indicators. The IOCs can be found in the security advisory written by Cisco: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z

If any suspicious or malicious activity is detected in relation to this article, please contact T-CERT. The Tesorion Computer Emergency Response Team offers specialist support 24/7. In emergencies, we immediately conduct an initial assessment by telephone and do all we can to get the situation under control as soon as possible.

Subscribe

Do you want to be informed in time? Sign up for our technical updates

Would you like to receive these critical vulnerabilities by e-mail from now on? Enter your e-mail address below.

Tesorion uses your personal data to send out requested information and possibly for contact by telephone and for marketing and sales purposes. You can change your preferences whenever you want. Read our privacy policy for more information.