CVE-2023-20198
Published: 16 October 2023
Summary
CVE-2023-20198 is a critical-severity Unprotected Alternate Channel (CWE-420) vulnerability in Cisco Ios Xe. Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).
Deeper analysis
CVE-2023-20198 is a critical vulnerability in the web UI feature of Cisco IOS XE Software. It carries a CVSS score of 10.0 and is associated with CWE-420. The issue was identified during Cisco's investigation of active exploitation and is tracked under CSCwh87343 alongside a related flaw, CVE-2023-20273.
Remote attackers can exploit CVE-2023-20198 without authentication to obtain initial access to affected devices. They then issue privilege-15 commands to create a local user account, after which a second web UI component is leveraged with that account to escalate privileges to root and install an implant on the file system.
Cisco's security advisory details the provision of updated fixed releases and a Software Checker tool for identifying vulnerable instances. The vulnerability is also listed in CISA's Known Exploited Vulnerabilities catalog, confirming observed in-the-wild activity.
EPSS scores have reached a peak of 0.9556 with a current value of 0.9401, reflecting sustained and widespread exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-24377
Vulnerability details
Cisco is providing an update for the ongoing investigation into observed exploitation of the web UI feature in Cisco IOS XE Software. We are updating the list of fixed releases and adding the Software Checker. Our investigation has determined that…
more
the actors exploited two previously unknown issues. The attacker first exploited CVE-2023-20198 to gain initial access and issued a privilege 15 command to create a local user and password combination. This allowed the user to log in with normal user access. The attacker then exploited another component of the web UI feature, leveraging the new local user to elevate privilege to root and write the implant to the file system. Cisco has assigned CVE-2023-20273 to this issue. CVE-2023-20198 has been assigned a CVSS Score of 10.0. CVE-2023-20273 has been assigned a CVSS Score of 7.2. Both of these CVEs are being tracked by CSCwh87343.
- CWE(s)
- KEV Date Added
- 16 October 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces access-control policy on the web UI, blocking the unauthenticated initial-access vector used by CVE-2023-20198.
Requires identification and authentication before any web-UI session, eliminating the PR:N flaw that lets attackers reach privilege-15 commands.
Mandates prompt installation of the Cisco IOS XE patches that close both CVE-2023-20198 and the follow-on CVE-2023-20273.