SentinelOne
CVE Vulnerability Database
Vulnerability Database/CVE-2023-20198

CVE-2023-20198: Cisco IOS XE Auth Bypass Vulnerability

CVE-2023-20198 is an authentication bypass flaw in Cisco IOS XE Software's web UI that enables attackers to gain privilege 15 access and create unauthorized users. This article covers technical details, affected systems, and mitigation.

Updated:

CVE-2023-20198 Overview

Cisco is providing an update for the ongoing investigation into observed exploitation of the web UI feature in Cisco IOS XE Software. We are updating the list of fixed releases and adding the Software Checker. Our investigation has determined that the actors exploited two previously unknown issues. The attacker first exploited CVE-2023-20198 to gain initial access and issued a privilege 15 command to create a local user and password combination. This allowed the user to log in with normal user access. The attacker then exploited another component of the web UI feature, leveraging the new local user to elevate privilege to root and write the implant to the file system. Cisco has assigned CVE-2023-20273 to this issue. CVE-2023-20198 has been assigned a CVSS Score of 10.0.

Critical Impact

Unauthorized access and potential full compromise of the device.

Affected Products

  • Rockwellautomation Allen-Bradley Stratix 5200
  • Rockwellautomation Allen-Bradley Stratix 5800
  • Cisco IOS XE

Discovery Timeline

  • Not Available - Vulnerability discovered by Not Available
  • Not Available - Responsible disclosure to rockwellautomation
  • Not Available - CVE CVE-2023-20198 assigned
  • Not Available - rockwellautomation releases security patch
  • 2023-10-16 - CVE CVE-2023-20198 published to NVD
  • 2025-10-28 - Last updated in NVD database

Technical Details for CVE-2023-20198

Vulnerability Analysis

The vulnerability allows attackers to exploit the web UI feature in Cisco IOS XE Software, which results in unauthorized access leading to privilege escalation.

Root Cause

Improper access control in the web UI component allowed unauthorized command execution.

Attack Vector

Network-based attack leveraging web UI endpoints.

bash
# Given script utilizes the web UI endpoints to execute unauthorized commands
curl -X POST "http://victim-device/api/login" -d "username=attacker&password=pass" -k

Detection Methods for CVE-2023-20198

Indicators of Compromise

  • Creation of unexpected local user accounts
  • Privilege escalation logs
  • Unusual configuration changes in Cisco devices

Detection Strategies

Deploy network intrusion detection systems to monitor for abnormal API calls and unauthorized user creation events.

Monitoring Recommendations

Continuously monitor login attempts and API interactions on Cisco IOS XE devices for signs of malicious activities.

How to Mitigate CVE-2023-20198

Immediate Actions Required

  • Revoke any suspicious user accounts
  • Apply the latest firmware updates provided by Cisco
  • Audit user activity on devices

Patch Information

Visit Cisco's official advisory page for applicable patches and updates.

Workarounds

Disable unnecessary web UI access and implement IP whitelisting to restrict access.

bash
# Configuration example to limit access
conf t
   ip access-list standard ALLOWED
      permit 192.168.1.0 0.0.0.255
   exit
!
line vty 0 4
   access-class ALLOWED in
end

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne