Attacker Value
Very High
(1 user assessed)
Exploitability
High
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
3

CVE-2023-20198

Disclosure Date: October 16, 2023
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Command and Control
Techniques
Validation
Validated

Description

Cisco is providing an update for the ongoing investigation into observed exploitation of the web UI feature in Cisco IOS XE Software. We are updating the list of fixed releases and adding the Software Checker. Our investigation has determined that the actors exploited two previously unknown issues. The attacker first exploited CVE-2023-20198 to gain initial access and issued a privilege 15 command to create a local user and password combination. This allowed the user to log in with normal user access. The attacker then exploited another component of the web UI feature, leveraging the new local user to elevate privilege to root and write the implant to the file system. Cisco has assigned CVE-2023-20273 to this issue. CVE-2023-20198 has been assigned a CVSS Score of 10.0. CVE-2023-20273 has been assigned a CVSS Score of 7.2. Both of these CVEs are being tracked by CSCwh87343.

Add Assessment

2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    High
Technical Analysis

Cisco has detected ongoing exploitation of an undisclosed vulnerability within the web user interface (UI) component of Cisco IOS XE Software, particularly when it is accessible via the internet or untrusted networks. This vulnerability permits an external, unauthenticated malicious actor to establish an account on a compromised system with full privilege level 15 access. This unauthorized account can subsequently be leveraged to assume control over the compromised system.

This vulnerability affects Cisco IOS XE Software if the web UI feature is enabled. The web UI feature is enabled through the ip http server or ip http secure-server commands.

To assess whether a system might have been infiltrated, carry out the following verifications:

Examine the system logs for indications of the following log messages, with “user” referring to any entities such as “cisco_tac_admin,” “cisco_support,” or any locally configured user that remains unfamiliar to the network administrator. Cisco has published more details of possible indicators of compromise in their advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z.

CVSS V3 Severity and Metrics
Base Score:
10.0 Critical
Impact Score:
6
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Changed
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • cisco

Products

  • ios xe
Technical Analysis