Skip to main content
U.S. flag

An official website of the United States government

Here’s how you know

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

HTTPS

Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Free Cyber ServicesSecure by design Secure Our WorldShields UpReport A Cyber Issue

Cybersecurity & Infrastructure Security Agency logo America’s Cyber Security Defense Agency National Coordinator For Critical Infrastructure Security and ResilienceCybersecurity & Infrastructure Security Agency logo America’s Cyber Security Defense Agency National Coordinator For Critical Infrastructure Security and Resilience
CISA Logo

Search

 

America's Cyber Defense Agency
 
  • Topics
    Cybersecurity Best Practices
    Cyber Threats and Advisories
    Critical Infrastructure Security and Resilience
    Election Security
    Emergency Communications
    Industrial Control Systems
    Information and Communications Technology Supply Chain Security
    Partnerships and Collaboration
    Physical Security
    Risk Management
    How can we help?
    GovernmentEducational InstitutionsIndustryState, Local, Tribal, and TerritorialIndividuals and FamiliesSmall and Medium BusinessesFind Help LocallyFaith-Based CommunityExecutivesHigh-Risk Communities
  • Spotlight
  • Resources & Tools
    All Resources & Tools
    Services
    Programs
    Resources
    Training
    Groups
  • News & Events
    News
    Events
    Cybersecurity Alerts & Advisories
    Directives
    Request a CISA Speaker
    Congressional Testimony
    CISA Conferences
    CISA Live!
  • Careers
    Benefits & Perks
    HireVue Applicant Reasonable Accommodations Process
    Hiring
    Resume & Application Tips
    Students & Recent Graduates
    Veteran and Military Spouses
  • About
    Divisions & Offices
    Regions
    Leadership
    Doing Business with CISA
    Site Links
    CISA GitHub
    CISA Central
    Contact Us
    Subscribe
    Transparency and Accountability
    Policies & Plans

Free Cyber ServicesSecure by design Secure Our WorldShields UpReport A Cyber Issue

Breadcrumb
  1. Home
  2. Guidance for Addressing Cisco IOS XE Web UI Vulnerabilities
Share:

Guidance for Addressing Cisco IOS XE Web UI Vulnerabilities

Related topics:
Cyber Threats and Advisories, Securing Networks, Incident Detection, Response, and Prevention

Summary

Note: CISA will continue to update this webpage as we have further guidance to impart.

CISA and its partners are responding to active, widespread exploitation of two vulnerabilities, CVE-2023-20198 and CVE-2023-20273, affecting Cisco’s Internetworking Operating System (IOS) XE Software Web User Interface (UI). Cisco's IOS XE Web UI is a system management tool for IOS XE, which is a network operating system for use on various Cisco products. An unauthenticated remote actor could exploit these vulnerabilities to take control of an affected system. Specifically, these vulnerabilities allow the actor to create a privileged account that provides complete control over the device.

Organizations running IOS XE Web UI should immediately implement the mitigations outlined in Cisco's Security Advisory, Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature, which include disabling the HTTP Server feature on internet-facing systems, and hunt for malicious activity on their network. According to the Cisco Talos blog, Active exploitation of Cisco IOS XE Software Web Management User Interface vulnerabilities, "Organizations should look for unexplained or newly created users on devices as evidence of potentially malicious activity relating to this threat." See the Talos blog for specific detection methods.

(Updated Nov. 1, 2023)

Note: See Cisco's Software Fix Availability for Cisco IOS XE Software Web UI Privilege Escalation Vulnerability - CVE-2023-20198 for a comprehensive list of available software fixes. The list includes fixed IOS XE software releases, including for 17.9, 17.6, 17.3 and 16.12 as well as available Software Maintenance Upgrades (SMUs).

(End of Update) 

Technical Details

CVE-2023-20198 is a privilege escalation vulnerability in the web UI feature of Cisco's IOS XE software affecting both physical and virtual devices that have the HTTP or HTTPS Server feature enabled. Exploitation of this vulnerability allows an actor to gain full administrative privileges and unauthorized access into affected systems. After obtaining the privileged account, the actor can then create a local user account with normal privileges to exploit another IOS XE Web UI vulnerability, CVE-2023-20273—a command Injection vulnerability—to inject commands with elevated (root) privileges, enabling the actor to run arbitrary commands on the device.

According to the Cisco Talos blog referenced above, a threat actor can:

  1. Exploit CVE-2023-20198 to obtain initial access and create a privileged account.
  2. Use the privileged account to create a local user account with normal privileges.
  3. Using the local user account, exploit another Cisco IOS XE Web UI vulnerability—CVE-2023-20273—to inject commands with elevated (root) privileges, which enables the actor to run arbitrary commands on the device.

Actions for Organizations Running Cisco IOS XE Web UI

CISA urges organizations running Cisco IOS XE Web UI to immediately implement the mitigations outlined in Cisco's Security Advisory, which include disabling the HTTP Server feature on internet-facing systems, and hunt for malicious activity on their network. Note: CISA will add to these mitigations as more information becomes available.

(Updated Nov. 1, 2023)

Organizations should upgrade to an appropriate fixed software release as indicated in the following table:

Cisco IOS XE Software Release Train

First Fixed Release

Available

17.9

17.9.4a

Yes

17.6

17.6.6a

Yes

17.3

17.3.8a

Yes

16.12 (Catalyst 3650 and 3850 only)

16.12.10a

Yes

Note: See Cisco's Security Advisory, Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature, for additional details as well as available Software Maintenance Upgrades (SMUs). Also, see Cisco's Software Fix Availability for Cisco IOS XE Software Web UI Privilege Escalation Vulnerability - CVE-2023-20198 for a comprehensive list of fixed software releases and SMUs.

(End of Update) 

Resources

This information is provided “as-is” for informational purposes only. CISA does not endorse any company, product, or service referenced below.

Mitigation Guidance

  • Cisco Security Advisory: Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature
  • Cisco Talos Blog: Active exploitation of Cisco IOS XE Software Web Management User Interface vulnerabilities

Additional Resources

  • CISA BOD 23-02: Mitigating the Risk from Internet-Exposed Management Interface
  • Palo Alto Networks: Cisco IOS XE Web UI Privilege Escalation Vulnerability
  • Proofpoint Emerging Threats Signatures: Ruleset Update Summary - 2023/10/17 - v10443
  • GreyNoise: Unpacking CVE-2023-20198 - A Critical Weakness in Cisco IOS XE

 

 

Return to top
  • Topics
  • Spotlight
  • Resources & Tools
  • News & Events
  • Careers
  • About
Cybersecurity & Infrastructure Security Agency
  • Facebook
  • X
  • LinkedIn
  • YouTube
  • Instagram
  • RSS
CISA Central 1-844-Say-CISA SayCISA@cisa.dhs.gov
DHS Seal
CISA.gov
An official website of the U.S. Department of Homeland Security
  • About CISA
  • Budget and Performance
  • DHS.gov
  • FOIA Requests
  • No FEAR Act
  • Office of Inspector General
  • Privacy Policy
  • Subscribe
  • The White House
  • USA.gov
  • Website Feedback