Cyber Resilience

CVE-2023-20109

MediumCISA KEVActive ExploitationEUVD Exploited

Published: 27 September 2023

Published
27 September 2023
Modified
28 October 2025
KEV Added
10 October 2023
Patch
CVSS Score v3.1 6.6 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0063 70.8th percentile
Risk Priority 34 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-20109 is a medium-severity Out-of-bounds Write (CWE-787) vulnerability in Cisco Ios. Its CVSS base score is 6.6 (Medium).

Operationally, ranked in the top 29.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-5 (Access Restrictions for Change) and SI-10 (Information Input Validation).

Deeper analysis

A vulnerability in the Cisco Group Encrypted Transport VPN (GET VPN) feature of Cisco IOS Software and Cisco IOS XE Software stems from insufficient validation of attributes in the Group Domain of Interpretation (GDOI) and G-IKEv2 protocols. The flaw, tracked as CVE-2023-20109 with a CVSS score of 6.6, is also associated with CWE-787 and affects devices configured for GET VPN operations.

An authenticated remote attacker who has already obtained administrative control of either a group member or a key server can exploit the issue by compromising an installed key server or redirecting a group member to an attacker-controlled key server. Successful exploitation enables arbitrary code execution with full system control or triggers a device reload resulting in denial of service.

The Cisco Security Advisory at sec.cloudapps.cisco.com provides mitigation guidance and software updates, while CISA lists the CVE in its Known Exploited Vulnerabilities catalog, indicating confirmed in-the-wild exploitation. The current EPSS score of 0.0063 reflects limited but non-zero exploitation probability.

EU & UK References

Vulnerability details

A vulnerability in the Cisco Group Encrypted Transport VPN (GET VPN) feature of Cisco IOS Software and Cisco IOS XE Software could allow an authenticated, remote attacker who has administrative control of either a group member or a key server…

more

to execute arbitrary code on an affected device or cause the device to crash. This vulnerability is due to insufficient validation of attributes in the Group Domain of Interpretation (GDOI) and G-IKEv2 protocols of the GET VPN feature. An attacker could exploit this vulnerability by either compromising an installed key server or modifying the configuration of a group member to point to a key server that is controlled by the attacker. A successful exploit could allow the attacker to execute arbitrary code and gain full control of the affected system or cause the affected system to reload, resulting in a denial of service (DoS) condition. For more information, see the Details ["#details"] section of this advisory.

CWE(s)
KEV Date Added
10 October 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

cisco
ios
12.4\(22\)md, 12.4\(22\)md1, 12.4\(22\)md2, 12.4\(22\)mda, 12.4\(22\)mda1
cisco
ios xe
16.1.1, 16.1.2, 16.1.3, 16.10.1, 16.10.1a

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces validation of GDOI and G-IKEv2 protocol attributes, blocking the out-of-bounds write that enables RCE or DoS.

prevent

Restricts unauthorized changes to group-member configuration that would redirect it to an attacker-controlled key server.

prevent

Requires timely application of vendor patches that eliminate the insufficient attribute validation in the GET VPN implementation.

References