CVE-2023-20273
Published: 25 October 2023
Summary
CVE-2023-20273 is a high-severity OS Command Injection (CWE-78) vulnerability in Cisco Ios Xe. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2023-20273 is a command injection vulnerability in the web UI feature of Cisco IOS XE Software that stems from insufficient input validation and is tracked under CWE-78. Successful exploitation permits an attacker to execute arbitrary commands on the underlying operating system with root privileges. The flaw carries a CVSS 3.1 base score of 7.2 and affects the web UI component across supported IOS XE releases.
An authenticated remote attacker with valid administrative credentials can exploit the issue by submitting specially crafted input through the web UI. This grants the attacker the ability to run commands at root level on the device, potentially leading to full control of the affected system including configuration changes, data exfiltration, or persistence mechanisms.
The official Cisco Security Advisory cisco-sa-iosxe-webui-privesc-j22SaA4z details the affected versions and available software updates that address the vulnerability. The flaw is also listed in CISA's Known Exploited Vulnerabilities catalog, indicating that federal agencies and other organizations should prioritize patching according to the published timelines.
The EPSS score for this CVE currently stands at 0.9262 with a recorded peak of 0.9265, reflecting sustained high exploitation interest since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-24452
Vulnerability details
A vulnerability in the web UI feature of Cisco IOS XE Software could allow an authenticated, remote attacker to inject commands with the privileges of root. This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability…
more
by sending crafted input to the web UI. A successful exploit could allow the attacker to inject commands to the underlying operating system with root privileges.
- CWE(s)
- KEV Date Added
- 23 October 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of all input to the web UI, blocking the crafted payloads that enable CWE-78 command injection.
Limits privileges of web-UI processes and authenticated accounts so that even successful injection cannot immediately yield root-level OS commands.
Mandates prompt application of vendor patches that eliminate the input-validation flaw in the IOS XE web UI.