Cisco Provides Update on Investigation into Web UI Exploitation
CVE-2023-20198

10CRITICAL

Key Information:

Vendor
Cisco
Status
Cisco iOS Xe Software
Vendor
CVE Published:
16 October 2023

Badges

📈 Trended💰 Ransomware👾 Exploit Exists🟡 Public PoC🟣 EPSS 87%🦅 CISA Reported📰 News Worthy

What is CVE-2023-20198?

CVE-2023-20198 is a severe security vulnerability affecting Cisco IOS XE Software, a widely utilized operating system for Cisco's networking devices. This vulnerability enables attackers to exploit the web user interface (UI) to gain unauthorized access and create local user accounts with elevated privileges. By leveraging this access, threat actors can potentially compromise network integrity, disrupt operations, and deploy malicious payloads, which can have dire consequences for organizations reliant on Cisco networking solutions.

Technical Details

CVE-2023-20198 has been assigned a CVSS score of 10.0, signifying critical severity in its impact. The vulnerability allows an attacker to issue privilege 15 commands, thereby enabling the creation of local user accounts with normal access rights. This initial foothold is often followed by further exploitation of additional vulnerabilities in the system, which may lead to privilege escalation and the ability to write unauthorized files into the system's file structure. Cisco has identified this flaw in conjunction with CVE-2023-20273, indicating a multi-layered attack scenario that can be exploited by malicious actors.

Potential impact of CVE-2023-20198

  1. Unauthorized Access and Control: The vulnerability permits attackers to gain unauthorized access to critical networking devices, allowing them to manipulate settings and potentially disrupt network operations.

  2. Privilege Escalation: By creating local user accounts with higher privileges, threat actors can escalate their access, further compromising device and network security, and enabling more extensive malicious activities.

  3. Deployment of Malicious Payloads: Once attackers utilize elevated privileges, they can write malicious scripts or implants to the file system, which can enable persistent threats, data exfiltration, or facilitate ransomware deployment across the affected network infrastructure.

CISA Reported

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.

The CISA's recommendation is: Verify that instances of Cisco IOS XE Web UI are in compliance with BOD 23-02 and apply mitigations per vendor instructions. For affected products (Cisco IOS XE Web UI exposed to the internet or to untrusted networks), follow vendor instructions to determine if a system may have been compromised and immediately report positive findings to CISA.

Affected Version(s)

Cisco IOS XE Software 16.1.1

Cisco IOS XE Software 16.1.2

Cisco IOS XE Software 16.1.3

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

cisco-ios-xe-implant-detection
Created by fox-it

CVE-2023-20198
Created by smokeintheshell

CVE-2023-20198-Checker
Created by ZephrFish

News Articles

favicon imagePalo Alto Networks

Threat Brief: Cisco IOS XE Web UI Privilege Escalation Vulnerability (Updated)

CVE-2023-20198 impacts Cisco IOS XE devices and allows attackers full admin access. Our overview includes attack surface telemetry of potential impact.

8 months ago

favicon imageButtondown

Cybersecurity Newsletter 29th April 2024

Cybersecurity Newsletter 29th April 2024 In this week’s news: UNICEF breached, Post Office phishing site gets more traffic than real one, Venture Capitalists...

9 months ago

favicon imageThe Record from Recorded Future News

Norway issues warning after ‘important businesses’ affected by Cisco zero-days

The chief of Norway's NSM agency said the pair of zero-day vulnerabilities affecting Cisco IOS XE had created a "very serious" situation for some organizations.

9 months ago

References

https://sec.cloudapps.cisco.com/security/center/content/C...

EPSS Score

87% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • 🟡

    Public PoC available

  • 📈

    Vulnerability started trending

  • 💰

    Used in Ransomware

  • 👾

    Exploit known to exist

  • 🦅

    CISA Reported

  • 📰

    First article discovered by BleepingComputer

  • Vulnerability published

  • Vulnerability Reserved

.