CVE-2023-20198 Overview
Cisco is providing an update for the ongoing investigation into observed exploitation of the web UI feature in Cisco IOS XE Software. We are updating the list of fixed releases and adding the Software Checker. Our investigation has determined that the actors exploited two previously unknown issues. The attacker first exploited CVE-2023-20198 to gain initial access and issued a privilege 15 command to create a local user and password combination. This allowed the user to log in with normal user access. The attacker then exploited another component of the web UI feature, leveraging the new local user to elevate privilege to root and write the implant to the file system. Cisco has assigned CVE-2023-20273 to this issue. CVE-2023-20198 has been assigned a CVSS Score of 10.0.
Critical Impact
Unauthorized access and potential full compromise of the device.
Affected Products
- Rockwellautomation Allen-Bradley Stratix 5200
- Rockwellautomation Allen-Bradley Stratix 5800
- Cisco IOS XE
Discovery Timeline
- Not Available - Vulnerability discovered by Not Available
- Not Available - Responsible disclosure to rockwellautomation
- Not Available - CVE CVE-2023-20198 assigned
- Not Available - rockwellautomation releases security patch
- 2023-10-16 - CVE CVE-2023-20198 published to NVD
- 2025-10-28 - Last updated in NVD database
Technical Details for CVE-2023-20198
Vulnerability Analysis
The vulnerability allows attackers to exploit the web UI feature in Cisco IOS XE Software, which results in unauthorized access leading to privilege escalation.
Root Cause
Improper access control in the web UI component allowed unauthorized command execution.
Attack Vector
Network-based attack leveraging web UI endpoints.
# Given script utilizes the web UI endpoints to execute unauthorized commands
curl -X POST "http://victim-device/api/login" -d "username=attacker&password=pass" -k
Detection Methods for CVE-2023-20198
Indicators of Compromise
- Creation of unexpected local user accounts
- Privilege escalation logs
- Unusual configuration changes in Cisco devices
Detection Strategies
Deploy network intrusion detection systems to monitor for abnormal API calls and unauthorized user creation events.
Monitoring Recommendations
Continuously monitor login attempts and API interactions on Cisco IOS XE devices for signs of malicious activities.
How to Mitigate CVE-2023-20198
Immediate Actions Required
- Revoke any suspicious user accounts
- Apply the latest firmware updates provided by Cisco
- Audit user activity on devices
Patch Information
Visit Cisco's official advisory page for applicable patches and updates.
Workarounds
Disable unnecessary web UI access and implement IP whitelisting to restrict access.
# Configuration example to limit access
conf t
ip access-list standard ALLOWED
permit 192.168.1.0 0.0.0.255
exit
!
line vty 0 4
access-class ALLOWED in
end
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
