CISA Updates Guidance for Addressing Cisco IOS XE Web UI Vulnerabilities With Additional Releases

Today, CISA updated its guidance addressing two vulnerabilities, CVE-2023-20198 and CVE-2023-20273, affecting Cisco’s Internetworking Operating System (IOS) XE Software Web User Interface (UI).

The guidance now notes that Cisco has fixed these vulnerabilities for the 17.6 Cisco IOS XE software release train with the 17.6.6a update. According to Cisco's Security Advisory: Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature, fixes are still to be determined for the following Cisco IOS XE software release trains: 17.3, 16.12 (Catalyst 3650 and 3850 only). Cisco previously published the fixed release for 17.9, which is 17.9.4a, on Oct. 22. CISA urges organizations with the 17.9 and 17.6 Cisco IOS XE software release train to immediately update to the 17.9.4a and 17.6.6a releases, respectively.

CISA urges organizations to review:

• CISA’s updated guidance
• Cisco Security Advisory: Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature
• Cisco Product Support: Software Fix Availability for Cisco IOS XE Software Web UI Privilege Escalation Vulnerability - CVE-2023-20198
• Cisco Talos Threat Advisory: Active exploitation of Cisco IOS XE Software Web Management User Interface vulnerabilities

CISA has added CVE-2023-20198 (on Oct. 16, 2023) and CVE-2023-20273 (on Oct. 23, 2023) to its Known Exploited Vulnerabilities Catalog, which, per Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the specified due date to protect FCEB networks against active threats.