Login Sign Up

CVE-2023-20198

10.0 CRITICAL
Remote Code Execution Authentication Bypass

📋 TL;DR

CVE-2023-20198 is a critical vulnerability in Cisco IOS XE Software web UI that allows unauthenticated attackers to gain initial access and create local user accounts. Combined with CVE-2023-20273, attackers can escalate privileges to root and install persistent implants. This affects organizations running vulnerable versions of Cisco IOS XE Software with the web UI enabled.

💻 Affected Systems

Products:
  • Cisco IOS XE Software
Versions: Versions with web UI feature enabled, specific affected versions detailed in Cisco advisory
Operating Systems: Cisco IOS XE
Default Config Vulnerable: ⚠️ Yes
Notes: Requires web UI feature to be enabled. Both physical and virtual devices running IOS XE are affected.

📦 What is this software?

Allen Bradley Stratix 5200 Firmware by Rockwellautomation

View all CVEs affecting Allen Bradley Stratix 5200 Firmware →

Allen Bradley Stratix 5800 Firmware by Rockwellautomation

View all CVEs affecting Allen Bradley Stratix 5800 Firmware →

Ios Xe by Cisco

Cisco IOS XE is Cisco's modern network operating system running on enterprise routers, switches, and wireless controllers deployed across corporate networks, data centers, branch offices, and service provider infrastructure worldwide. As the evolution of Cisco IOS, IOS XE provides a Linux-based modu...

Learn more about Ios Xe →

Ios Xe by Cisco

Cisco IOS XE is Cisco's modern network operating system running on enterprise routers, switches, and wireless controllers deployed across corporate networks, data centers, branch offices, and service provider infrastructure worldwide. As the evolution of Cisco IOS, IOS XE provides a Linux-based modu...

Learn more about Ios Xe →

Ios Xe by Cisco

Cisco IOS XE is Cisco's modern network operating system running on enterprise routers, switches, and wireless controllers deployed across corporate networks, data centers, branch offices, and service provider infrastructure worldwide. As the evolution of Cisco IOS, IOS XE provides a Linux-based modu...

Learn more about Ios Xe →

Ios Xe by Cisco

Cisco IOS XE is Cisco's modern network operating system running on enterprise routers, switches, and wireless controllers deployed across corporate networks, data centers, branch offices, and service provider infrastructure worldwide. As the evolution of Cisco IOS, IOS XE provides a Linux-based modu...

Learn more about Ios Xe →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with root-level access, persistent backdoor installation, network infrastructure takeover, and data exfiltration.

🟠

Likely Case

Initial access leading to privilege escalation, implant deployment, and potential lateral movement within the network.

🟢

If Mitigated

Limited impact if web UI is disabled or proper network segmentation isolates affected devices.

🌐 Internet-Facing: HIGH - Web UI exposed to internet allows unauthenticated remote exploitation.
🏢 Internal Only: MEDIUM - Requires internal network access but still exploitable without authentication.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Actively exploited in the wild. Attack chain involves CVE-2023-20198 for initial access and CVE-2023-20273 for privilege escalation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Refer to Cisco advisory for specific fixed releases

Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z

Restart Required: Yes

Instructions:

1. Check current IOS XE version. 2. Review Cisco advisory for fixed releases. 3. Download and apply appropriate patch. 4. Reboot device. 5. Verify patch installation.

🔧 Temporary Workarounds

Disable Web UI

all

Disable the vulnerable web UI feature to prevent exploitation

no ip http server
no ip http secure-server

Restrict Access

all

Limit web UI access to trusted networks using ACLs

ip http access-class <ACL-NUMBER>
ip http secure-server access-class <ACL-NUMBER>

🧯 If You Can't Patch

  • Immediately disable web UI using 'no ip http server' and 'no ip http secure-server' commands
  • Implement strict network segmentation to isolate affected devices from untrusted networks

🔍 How to Verify

Check if Vulnerable:

Check if web UI is enabled: 'show running-config | include ip http' and verify IOS XE version against affected versions in Cisco advisory

Check Version:

show version

Verify Fix Applied:

Verify patch installation: 'show version' and confirm version matches fixed release. Check for implant indicators: 'show running-config | include username' for suspicious users

📡 Detection & Monitoring

Log Indicators:

  • Unexpected user account creation
  • Privilege escalation attempts
  • Web UI authentication bypass logs
  • Implant-related file system modifications

Network Indicators:

  • Unusual HTTP/HTTPS traffic to device web UI
  • Suspicious command execution patterns
  • Outbound connections from network devices to unknown IPs

SIEM Query:

Search for: 'CVE-2023-20198', 'CVE-2023-20273', 'Cisco IOS XE web UI exploitation', 'privilege 15 command execution', 'local user creation on network devices'

📊 Metadata

CVE ID: CVE-2023-20198
CVSS v3 Score: 10.0 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-420
Published: October 16, 2023
Last Updated: October 28, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-20198, you might also want to check these:

CVE-2025-52921 9.9

This vulnerability allows authenticated attackers to achieve remote code execution on Innoshop serve...

Same vulnerability type (CWE-420)
CVE-2025-13315 9.8

CVE-2025-13315 is an authentication bypass vulnerability in Twonky Server that allows unauthenticate...

Same vulnerability type (CWE-420)
CVE-2025-54309 9.0

This vulnerability in CrushFTP allows remote attackers to bypass AS2 validation and gain administrat...

Same vulnerability type (CWE-420)