Skip to content
feed: live about
>_ 0dayNews
CVE Record
[ CRITICAL ] CVE-2023-20198

Cisco IOS XE Web UI Privilege Escalation Zero-Day

A privilege-escalation vulnerability in the Web UI feature of Cisco IOS XE Software allows a remote, unauthenticated attacker to create an account with privilege level 15 (full admin) access, enabling full device takeover. Exploited at mass scale against tens of thousands of devices.

cat cve-2023-20198.json
Vendor
Cisco
Product
IOS XE Software
CVSS
10.0
Status
kev
Published

CVE-2023-20198 is a maximum-severity (CVSS 10.0) vulnerability in the Web UI feature of Cisco IOS XE Software, the operating system that runs on Cisco’s enterprise switches, routers, and wireless controllers. The flaw allows a remote, unauthenticated attacker to create a local user account with privilege level 15 — Cisco’s highest privilege tier, equivalent to full administrative control.

Cisco disclosed the vulnerability on October 16, 2023, after observing exploitation in the wild as early as late September. A second vulnerability, CVE-2023-20273, was used in combination to inject a persistent implant onto compromised devices. Internet-wide scans by independent researchers identified tens of thousands of compromised Cisco IOS XE devices with the implant installed within days of disclosure.

Why it mattered

IOS XE runs the core routing and switching infrastructure for a huge share of enterprise and service-provider networks. A privilege-escalation flaw reachable through the device’s web management interface — often exposed to the internet for remote administration — turned ordinary network gear into a mass-exploitable target almost overnight, and the implant gave attackers persistence even across reboots in some configurations.

Cisco’s Talos team published indicators of compromise and a scanning methodology; CISA added the CVE to its KEV catalog with an expedited remediation deadline. Full technical detail is at the NVD link above and in Cisco’s security advisory.