• Language chooser
    • USA (English)
    • France (Français)

virus logo Outbreak Alert

Cisco IOS XE Web UI Attack

Released: Oct 20, 2023

Updated: Oct 23, 2023

Download PDF »

Cisco IOS XE Web UI Vulnerability

Critical Severity

Cisco Vendor

Vulnerability, Attack Type

Watch Video

Multiple 0-Day vulnerabilities on Cisco IOS XE Web UI

Active exploitation of a previously unknown vulnerabilities in the Web User Interface (Web UI) of Cisco IOS XE software when exposed to the internet or untrusted networks. According to open source articles, thousands of vulnerable devices have been compromised. Learn More »

Common Vulnerabilities and Exposures

CVE-2023-20198
CVE-2023-20273

Background

Cisco IOS XE is the internetworking operating system used by the Next-Generation Cisco Systems such as routers and switches. The Web User Interface (WebUI) provides simplified deployment and manageability of the devices. According to the vendor report, this vulnerability (CVE-2023-20198) allows a remote, unauthenticated attacker to create an account on an affected system. The attacker can then use that account to gain control of the affected system including installing a backdoor. Next, the attacker can use the new unauthorized local user account to exploit a second previously unknown vulnerability (CVE-2023-20273) in another component of the WebUI feature. This allows the adversary to inject commands with elevated (root) privileges, giving them the ability to run arbitrary commands on the device.

Threat Radar Overall Score:
CVSS Rating 10.0
FortiRecon Score 92/100
Known Exploited Yes
Exploit Prediction Score 90.08%
FortiGuard Telemetry 5236

Latest Development

Recent news and incidents related to cybersecurity threats encompassing various events such as data breaches, cyber-attacks, security incidents, and vulnerabilities discovered.


Oct 16, 2023: Cisco released an advisory for CVE-2023-20198
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z

Oct 16, 2023: Cisco Talos released a detailed blog about the CVE-2023-20198 vulnerability and its active exploitation.
https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/

Oct 16, 2023: FortiGuard Labs released a Threat Signal for the vulnerability (CVE-2023-20198)
https://www.fortiguard.com/threat-signal-report/5293

Oct 19, 2023: CISA added CVE-2023-20198 to its known exploited list (KEV) Catalog.
https://www.cisa.gov/known-exploited-vulnerabilities-catalog


Oct 20, 2023: Cisco identified an additional vulnerability (CVE-2023-20273) that is exploited to deploy the implant. Fixes for both CVE-2023-20198 and CVE-2023-20273 are estimated to be available on October 22 according to the vendor advisory. Please see the following link for software fix availability:
https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-xe-dublin-17121/221128-software-fix-availability-for-cisco-ios.html

Attack Sequence

Actions taken by cyber attacker or a malicious entity to compromise a target system or network.

FortiGuard Cybersecurity Framework

Mitigate security threats and vulnerabilities by leveraging the range of FortiGuard Services.


PROTECT

  • Lure

  • Decoy VM

  • IPS

  • Web App Security

DETECT

  • Outbreak Detection

  • Threat Hunting

  • Content Update

RESPOND

  • Assisted Response Services

  • Automated Response

RECOVER

  • NOC/SOC Training

  • End-User Training

IDENTIFY

  • Attack Surface Hardening

  • Business Reputation

Threat Intelligence

Information gathered from analyzing ongoing cybersecurity events including threat actors, their tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), malware and related vulnerabilities.


Loading ...

Indicators of compromise Indicators of compromise
IOC Indicator List
Indicator Type Status
172.104.131.24 ip Active
138.197.200.139 ip Active
154.53.56.231 ip Active
5.149.249.74 ip Active
143.110.186.105 ip Active
170.64.204.42 ip Active
154.53.63.93 ip Active
95.168.191.172 ip Active
108.177.235.177 ip Active
192.109.119.29 ip Active
192.227.196.186 ip Active
192.3.101.111 ip Active
205.185.123.17 ip Active
209.141.34.83 ip Active
92.223.30.129 ip Active
92.38.132.181 ip Active
92.38.169.180 ip Active
111.253.246.40 ip Active
193.42.40.140 ip Active
213.252.246.4 ip Active
27.102.118.233 ip Active
38.60.199.10 ip Active
64.190.113.233 ip Active