Cyber Resilience

CVE-2023-20198

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 16 October 2023

Published
16 October 2023
Modified
28 October 2025
KEV Added
16 October 2023
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.9401 99.9th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-20198 is a critical-severity Unprotected Alternate Channel (CWE-420) vulnerability in Cisco Ios Xe. Its CVSS base score is 10.0 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).

Deeper analysis

CVE-2023-20198 is a critical vulnerability in the web UI feature of Cisco IOS XE Software. It carries a CVSS score of 10.0 and is associated with CWE-420. The issue was identified during Cisco's investigation of active exploitation and is tracked under CSCwh87343 alongside a related flaw, CVE-2023-20273.

Remote attackers can exploit CVE-2023-20198 without authentication to obtain initial access to affected devices. They then issue privilege-15 commands to create a local user account, after which a second web UI component is leveraged with that account to escalate privileges to root and install an implant on the file system.

Cisco's security advisory details the provision of updated fixed releases and a Software Checker tool for identifying vulnerable instances. The vulnerability is also listed in CISA's Known Exploited Vulnerabilities catalog, confirming observed in-the-wild activity.

EPSS scores have reached a peak of 0.9556 with a current value of 0.9401, reflecting sustained and widespread exploitation interest following disclosure.

EU & UK References

Vulnerability details

Cisco is providing an update for the ongoing investigation into observed exploitation of the web UI feature in Cisco IOS XE Software. We are updating the list of fixed releases and adding the Software Checker. Our investigation has determined that…

more

the actors exploited two previously unknown issues. The attacker first exploited CVE-2023-20198 to gain initial access and issued a privilege 15 command to create a local user and password combination. This allowed the user to log in with normal user access. The attacker then exploited another component of the web UI feature, leveraging the new local user to elevate privilege to root and write the implant to the file system. Cisco has assigned CVE-2023-20273 to this issue. CVE-2023-20198 has been assigned a CVSS Score of 10.0. CVE-2023-20273 has been assigned a CVSS Score of 7.2. Both of these CVEs are being tracked by CSCwh87343.

CWE(s)
KEV Date Added
16 October 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

rockwellautomation
allen-bradley stratix 5200 firmware
≤ 17.12.02
rockwellautomation
allen-bradley stratix 5800 firmware
≤ 17.12.02
cisco
ios xe
16.12 — 16.12.10a · 17.3 — 17.3.8a · 17.6 — 17.6.6a

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces access-control policy on the web UI, blocking the unauthenticated initial-access vector used by CVE-2023-20198.

prevent

Requires identification and authentication before any web-UI session, eliminating the PR:N flaw that lets attackers reach privilege-15 commands.

prevent

Mandates prompt installation of the Cisco IOS XE patches that close both CVE-2023-20198 and the follow-on CVE-2023-20273.

References