CVE-2023-20198
Cisco IOS XE Web UI Privilege Escalation Vulnerability - [Actively Exploited]
Description
Cisco is providing an update for the ongoing investigation into observed exploitation of the web UI feature in Cisco IOS XE Software. We are updating the list of fixed releases and adding the Software Checker. Our investigation has determined that the actors exploited two previously unknown issues. The attacker first exploited CVE-2023-20198 to gain initial access and issued a privilege 15 command to create a local user and password combination. This allowed the user to log in with normal user access. The attacker then exploited another component of the web UI feature, leveraging the new local user to elevate privilege to root and write the implant to the file system. Cisco has assigned CVE-2023-20273 to this issue. CVE-2023-20198 has been assigned a CVSS Score of 10.0. CVE-2023-20273 has been assigned a CVSS Score of 7.2. Both of these CVEs are being tracked by CSCwh87343.
INFO
Published Date :
Oct. 16, 2023, 4:15 p.m.
Last Modified :
Oct. 28, 2025, 1:59 p.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CISA KEV (Known Exploited Vulnerabilities)
For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.
Cisco IOS XE Web UI contains a privilege escalation vulnerability in the web user interface that could allow a remote, unauthenticated attacker to create an account with privilege level 15 access. The attacker can then use that account to gain control of the affected device.
Verify that instances of Cisco IOS XE Web UI are in compliance with BOD 23-02 and apply mitigations per vendor instructions. For affected products (Cisco IOS XE Web UI exposed to the internet or to untrusted networks), follow vendor instructions to determine if a system may have been compromised and immediately report positive findings to CISA.
https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-xe-dublin-17121/221128-software-fix-availability-for-cisco-ios.html; https://nvd.nist.gov/vuln/detail/CVE-2023-20198
Affected Products
The following products are affected by CVE-2023-20198
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | CRITICAL | [email protected] | ||||
| CVSS 3.1 | CRITICAL | [email protected] |
Solution
- Refer to the vendor advisory for specific patching and configuration guidance.
- Apply the appropriate updates or patches provided by the vendor.
Public PoC/Exploit Available at Github
CVE-2023-20198 has a 84 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2023-20198.
| URL | Resource |
|---|---|
| https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z | Mitigation Vendor Advisory |
| https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z | Mitigation Vendor Advisory |
| https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-20198 | US Government Resource |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2023-20198 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2023-20198
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
None
Python
𝘒𝘦𝘴𝘵𝘳𝘦𝘭 — 𝘈 𝘲𝘶𝘦𝘴𝘵𝘪𝘰𝘯-𝘢𝘯𝘴𝘸𝘦𝘳𝘪𝘯𝘨 𝘴𝘺𝘴𝘵𝘦𝘮 𝘶𝘴𝘪𝘯𝘨 𝘙𝘦𝘵𝘳𝘪𝘦𝘷𝘢𝘭-𝘈𝘶𝘨𝘮𝘦𝘯𝘵𝘦𝘥 𝘎𝘦𝘯𝘦𝘳𝘢𝘵𝘪𝘰𝘯 (𝘙𝘈𝘎) 𝘴𝘦𝘳𝘷𝘪𝘯𝘨 𝘢𝘴 𝘢 𝘤𝘺𝘣𝘦𝘳𝘴𝘦𝘤𝘶𝘳𝘪𝘵𝘺 𝘳𝘦𝘴𝘦𝘢𝘳𝘤𝘩 𝘢𝘴𝘴𝘪𝘴𝘵𝘢𝘯𝘵.
Python
None
None
护网2024-POC收录备份
备份的漏洞库,3月开始我们来维护
None
None
Python
CVE POC repo 자동 수집기
Python
None
Analysis, detection, and mitigation of CVE-2023-20198 exploitation in Cisco IOS XE – QUB CSC3064 Network Security Assessment
None
Python Shell HTML JavaScript PowerShell TeX
A go-exploit to scan for implanted Cisco IOS XE Systems cve-2023-20198, go-exploit
Dockerfile Makefile Go
None
HTML
Exploit PoC for CVE-2023-20198
Python
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2023-20198 vulnerability anywhere in the article.
-
security.nl
'Ruim 14.000 Cisco-routers geïnfecteerd met Badcandy-backdoor'
Wereldwijd zijn ruim veertienduizend Cisco-routers en -switches, waaronder 129 in Nederland, geïnfecteerd met de Badcandy-backdoor, zo stelt The Shadowserver Foundation op basis van eigen onderzoek. D ... Read more
-
The Register
Attackers targeting unpatched Cisco kit notice malware implant removal, install it again
Infosec in brief Australia’s Signals Directorate (ASD) last Friday warned that attackers are installing an implant named “BADCANDY” on unpatched Cisco IOS XE devices and can detect deletion of their w ... Read more
-
The Hacker News
ASD Warns of Ongoing BADCANDY Attacks Exploiting Cisco IOS XE Vulnerability
Nov 01, 2025Ravie LakshmananArtificial Intelligence / Vulnerability The Australian Signals Directorate (ASD) has issued a bulletin about ongoing cyber attacks targeting unpatched Cisco IOS XE device ... Read more
-
CybersecurityNews
Hackers Exploiting Cisco IOS XE Vulnerability in the Wild to Deploy BADCANDY Web Shell
Cybercriminals and state-sponsored actors are ramping up attacks on unpatched Cisco IOS XE devices across Australia, deploying a persistent Lua-based web shell known as BADCANDY to maintain unauthoriz ... Read more
-
BleepingComputer
Australia warns of BadCandy infections on unpatched Cisco devices
The Australian government is warning about ongoing cyberattacks against unpatched Cisco IOS XE devices in the country to infect routers with the BadCandy webshell. The vulnerability exploited in these ... Read more
-
security.nl
Australië waarschuwt voor Cisco-routers besmet met Badcandy-malware
De Australische overheid waarschuwt organisaties voor routers en switches van Cisco die met de "Badcandy" malware besmet zijn. Badcandy is een webshell waarmee aanvallers toegang tot gecompromitteerde ... Read more
-
The Cyber Express
Hundreds of Australian Devices Compromised with BadCandy Implant
Australian cyber agency has issued a critical advisory warning that over 150 devices in Australia remain compromised with the BadCandy implant as of late October 2025—two years after patches became av ... Read more
-
CybersecurityNews
Chinese State-Sponsored Hackers Attacking Telecommunications Infrastructure to Harvest Sensitive Data
In late 2024, a new wave of cyber espionage emerged targeting global telecommunications infrastructure. Operating under the moniker Salt Typhoon, this Chinese state-sponsored group has focused its eff ... Read more
-
CybersecurityNews
Chinese APT Hackers Exploit Router Vulnerabilities to Infiltrate Enterprise Environments
Over the past several years, a concerted campaign by Chinese state-sponsored Advanced Persistent Threat (APT) groups has exploited critical vulnerabilities in enterprise-grade routers to establish lon ... Read more
-
SentinelOne
The Good, the Bad and the Ugly in Cybersecurity – Week 35
The Good | Interpol Cracks Down on Cybercrime as U.S. Sanctions North Korean IT Scheme Interpol announced the arrest of over 1200 suspects in Operation Serengeti 2.0, a three-month crackdown on cyberc ... Read more
-
SentinelOne
The Good, the Bad and the Ugly in Cybersecurity – Week 35
The Good | Interpol Cracks Down on Cybercrime as U.S. Sanctions North Korean IT Scheme Interpol announced the arrest of over 1200 suspects in Operation Serengeti 2.0, a three-month crackdown on cyberc ... Read more
-
The Hacker News
Salt Typhoon Exploits Cisco, Ivanti, Palo Alto Flaws to Breach 600 Organizations Worldwide
The China-linked advanced persistent threat (APT) actor known as Salt Typhoon has continued its attacks targeting networks across the world, including organizations in the telecommunications, governme ... Read more
-
Hackread - Latest Cybersecurity, Hacking News, Tech, AI & Crypto
UK and US Blame Three Chinese Tech Firms for Global Cyberattacks
A coalition of international cybersecurity agencies led by the UK’s National Cyber Security Centre (NCSC) has publicly linked three China-based technology companies to a long-running global cyberattac ... Read more
-
CybersecurityNews
CISA Publish Hunting and Mitigation Guide to Defend Networks from Chinese State-Sponsored Actors
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), alongside the NSA, FBI, and a broad coalition of international partners, has released a comprehensive cybersecurity advisory detailing ... Read more
-
The Register
If you thought China's Salt Typhoon was booted off critical networks, think again
China's Salt Typhoon cyberspies continue their years-long hacking campaign targeting critical industries around the world, according to a joint security alert from cyber and law enforcement agencies a ... Read more
-
Daily CyberSecurity
An Espionage System: NSA, CISA, & Partners Expose Chinese APT Groups
In a multinational alert, the U.S. National Security Agency (NSA), CISA, FBI, and partners from more than a dozen allied nations have released a Joint Cybersecurity Advisory (CSA) exposing how Chinese ... Read more
-
BleepingComputer
Global Salt Typhoon hacking campaigns linked to Chinese tech firms
The U.S. National Security Agency (NSA), the UK's National Cyber Security Centre (NCSC), and partners from over a dozen countries have linked the Salt Typhoon global hacking campaigns to three China-b ... Read more
-
BleepingComputer
Chinese hackers breached National Guard to steal network configurations
The Chinese state-sponsored hacking group known as Salt Typhoon breached and remained undetected in a U.S. Army National Guard network for nine months in 2024, stealing network configuration files and ... Read more
-
Hackread - Latest Cybersecurity, Hacking News, Tech, AI & Crypto
Chinese Salt Typhoon Infiltrated US National Guard Network for Months
A sophisticated Chinese APT group, Salt Typhoon, successfully infiltrated the US state’s Army National Guard network for nearly a year, from March 2024 to December 2024. This breach, detailed in a Dep ... Read more
-
The Hacker News
Chinese Hackers Target Taiwan's Semiconductor Sector with Cobalt Strike, Custom Backdoors
The Taiwanese semiconductor industry has become the target of spear-phishing campaigns undertaken by three Chinese state-sponsored threat actors. "Targets of these campaigns ranged from organizations ... Read more
The following table lists the changes that have been made to the
CVE-2023-20198 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Modified Analysis by [email protected]
Oct. 28, 2025
Action Type Old Value New Value Added Reference Type CISA-ADP: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-20198 Types: US Government Resource -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Oct. 21, 2025
Action Type Old Value New Value Added Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-20198 -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Oct. 21, 2025
Action Type Old Value New Value Removed Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-20198 -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Oct. 21, 2025
Action Type Old Value New Value Added Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-20198 -
Reanalysis by [email protected]
May. 15, 2025
Action Type Old Value New Value Added CPE Configuration AND OR *cpe:2.3:o:rockwellautomation:allen-bradley_stratix_5200_firmware:*:*:*:*:*:*:*:* versions up to (excluding) 17.12.02 OR cpe:2.3:h:rockwellautomation:allen-bradley_stratix_5200:-:*:*:*:*:*:*:* Added CPE Configuration AND OR *cpe:2.3:o:rockwellautomation:allen-bradley_stratix_5800_firmware:*:*:*:*:*:*:*:* versions up to (excluding) 17.12.02 OR cpe:2.3:h:rockwellautomation:allen-bradley_stratix_5800:-:*:*:*:*:*:*:* -
Modified Analysis by [email protected]
Apr. 03, 2025
Action Type Old Value New Value -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Nov. 21, 2024
Action Type Old Value New Value Added Reference https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z -
Modified Analysis by [email protected]
Jun. 17, 2024
Action Type Old Value New Value Removed CWE NIST NVD-CWE-noinfo Added CWE NIST NVD-CWE-Other -
CVE Modified by [email protected]
May. 14, 2024
Action Type Old Value New Value -
CVE Modified by [email protected]
Jan. 25, 2024
Action Type Old Value New Value Removed Reference Cisco Systems, Inc. http://packetstormsecurity.com/files/175674/Cisco-IOX-XE-Unauthenticated-Remote-Code-Execution.html Added CWE Cisco Systems, Inc. CWE-420 -
Reanalysis by [email protected]
Nov. 15, 2023
Action Type Old Value New Value Changed Reference Type http://packetstormsecurity.com/files/175674/Cisco-IOX-XE-Unauthenticated-Remote-Code-Execution.html Exploit, Third Party Advisory http://packetstormsecurity.com/files/175674/Cisco-IOX-XE-Unauthenticated-Remote-Code-Execution.html Exploit, Third Party Advisory, VDB Entry -
Modified Analysis by [email protected]
Nov. 15, 2023
Action Type Old Value New Value Changed Reference Type http://packetstormsecurity.com/files/175674/Cisco-IOX-XE-Unauthenticated-Remote-Code-Execution.html No Types Assigned http://packetstormsecurity.com/files/175674/Cisco-IOX-XE-Unauthenticated-Remote-Code-Execution.html Exploit, Third Party Advisory Changed CPE Configuration OR *cpe:2.3:o:cisco:ios_xe:*:*:*:*:*:*:*:* versions up to (excluding) 17.9.4a OR *cpe:2.3:o:cisco:ios_xe:*:*:*:*:*:*:*:* versions from (including) 16.12 up to (excluding) 16.12.10a *cpe:2.3:o:cisco:ios_xe:*:*:*:*:*:*:*:* versions from (including) 17.3 up to (excluding) 17.3.8a *cpe:2.3:o:cisco:ios_xe:*:*:*:*:*:*:*:* versions from (including) 17.6 up to (excluding) 17.6.6a *cpe:2.3:o:cisco:ios_xe:*:*:*:*:*:*:*:* versions from (including) 17.9 up to (excluding) 17.9.4a -
CVE Modified by [email protected]
Nov. 14, 2023
Action Type Old Value New Value Added Reference Cisco Systems, Inc. http://packetstormsecurity.com/files/175674/Cisco-IOX-XE-Unauthenticated-Remote-Code-Execution.html [No types assigned] -
CVE Modified by [email protected]
Nov. 07, 2023
Action Type Old Value New Value Changed Description Cisco is aware of active exploitation of a previously unknown vulnerability in the web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks. This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system. For steps to close the attack vector for this vulnerability, see the Recommendations section of this advisory Cisco will provide updates on the status of this investigation and when a software patch is available. Cisco is providing an update for the ongoing investigation into observed exploitation of the web UI feature in Cisco IOS XE Software. We are updating the list of fixed releases and adding the Software Checker. Our investigation has determined that the actors exploited two previously unknown issues. The attacker first exploited CVE-2023-20198 to gain initial access and issued a privilege 15 command to create a local user and password combination. This allowed the user to log in with normal user access. The attacker then exploited another component of the web UI feature, leveraging the new local user to elevate privilege to root and write the implant to the file system. Cisco has assigned CVE-2023-20273 to this issue. CVE-2023-20198 has been assigned a CVSS Score of 10.0. CVE-2023-20273 has been assigned a CVSS Score of 7.2. Both of these CVEs are being tracked by CSCwh87343. Removed Reference Cisco Systems, Inc. https://arstechnica.com/security/2023/10/actively-exploited-cisco-0-day-with-maximum-10-severity-gives-full-network-control/ Removed Reference Cisco Systems, Inc. https://www.darkreading.com/vulnerabilities-threats/critical-unpatched-cisco-zero-day-bug-active-exploit Removed Reference Cisco Systems, Inc. https://www.cisa.gov/guidance-addressing-cisco-ios-xe-web-ui-vulnerabilities -
CVE Modified by [email protected]
Oct. 25, 2023
Action Type Old Value New Value Added Reference https://www.cisa.gov/guidance-addressing-cisco-ios-xe-web-ui-vulnerabilities [No Types Assigned] -
Initial Analysis by [email protected]
Oct. 24, 2023
Action Type Old Value New Value Added CVSS V3.1 NIST AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Changed Reference Type https://arstechnica.com/security/2023/10/actively-exploited-cisco-0-day-with-maximum-10-severity-gives-full-network-control/ No Types Assigned https://arstechnica.com/security/2023/10/actively-exploited-cisco-0-day-with-maximum-10-severity-gives-full-network-control/ Press/Media Coverage, Third Party Advisory Changed Reference Type https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z No Types Assigned https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z Mitigation, Vendor Advisory Changed Reference Type https://www.darkreading.com/vulnerabilities-threats/critical-unpatched-cisco-zero-day-bug-active-exploit No Types Assigned https://www.darkreading.com/vulnerabilities-threats/critical-unpatched-cisco-zero-day-bug-active-exploit Third Party Advisory Added CWE NIST NVD-CWE-noinfo Added CPE Configuration OR *cpe:2.3:o:cisco:ios_xe:*:*:*:*:*:*:*:* versions up to (excluding) 17.9.4a -
CVE Modified by [email protected]
Oct. 16, 2023
Action Type Old Value New Value Added Reference https://www.darkreading.com/vulnerabilities-threats/critical-unpatched-cisco-zero-day-bug-active-exploit [No Types Assigned] -
CVE Modified by [email protected]
Oct. 16, 2023
Action Type Old Value New Value Added Reference https://arstechnica.com/security/2023/10/actively-exploited-cisco-0-day-with-maximum-10-severity-gives-full-network-control/ [No Types Assigned]
Vulnerability Scoring Details
Base CVSS Score: 10
Exploit Prediction
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days.
94.07 }} 0.01%
score
0.99895
percentile