Cyber Resilience

CVE-2023-20273

HighCISA KEVActive ExploitationEUVD ExploitedRCE

Published: 25 October 2023

Published
25 October 2023
Modified
28 October 2025
KEV Added
23 October 2023
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9262 99.8th percentile
Risk Priority 90 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-20273 is a high-severity OS Command Injection (CWE-78) vulnerability in Cisco Ios Xe. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2023-20273 is a command injection vulnerability in the web UI feature of Cisco IOS XE Software that stems from insufficient input validation and is tracked under CWE-78. Successful exploitation permits an attacker to execute arbitrary commands on the underlying operating system with root privileges. The flaw carries a CVSS 3.1 base score of 7.2 and affects the web UI component across supported IOS XE releases.

An authenticated remote attacker with valid administrative credentials can exploit the issue by submitting specially crafted input through the web UI. This grants the attacker the ability to run commands at root level on the device, potentially leading to full control of the affected system including configuration changes, data exfiltration, or persistence mechanisms.

The official Cisco Security Advisory cisco-sa-iosxe-webui-privesc-j22SaA4z details the affected versions and available software updates that address the vulnerability. The flaw is also listed in CISA's Known Exploited Vulnerabilities catalog, indicating that federal agencies and other organizations should prioritize patching according to the published timelines.

The EPSS score for this CVE currently stands at 0.9262 with a recorded peak of 0.9265, reflecting sustained high exploitation interest since disclosure.

EU & UK References

Vulnerability details

A vulnerability in the web UI feature of Cisco IOS XE Software could allow an authenticated, remote attacker to inject commands with the privileges of root. This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability…

more

by sending crafted input to the web UI. A successful exploit could allow the attacker to inject commands to the underlying operating system with root privileges.

CWE(s)
KEV Date Added
23 October 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

cisco
ios xe
16.1.1, 16.1.2, 16.1.3, 16.10.1, 16.10.1a · 17.3 — 17.3.8a · 17.6 — 17.6.6a · 17.9 — 17.9.4a

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all input to the web UI, blocking the crafted payloads that enable CWE-78 command injection.

prevent

Limits privileges of web-UI processes and authenticated accounts so that even successful injection cannot immediately yield root-level OS commands.

prevent

Mandates prompt application of vendor patches that eliminate the input-validation flaw in the IOS XE web UI.

References