In October 2023, tens of thousands of Cisco routers and switches were implanted in a matter of days through a vulnerability that needed nothing more than reachability to the device's web interface. That vulnerability was CVE-2023-20198, an unauthenticated privilege escalation in the Cisco IOS XE Web UI. Cisco assigned it CVSS 3.1 10.0 (Critical), the maximum score, and disclosed it as an actively exploited zero-day.
ID and severity
CVE-2023-20198 is a privilege escalation flaw in the web user interface (the HTTP or HTTPS Server feature) of Cisco IOS XE Software. The CVSS vector is AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. The scope-changed component and the maximum score reflect what the bug grants: an unauthenticated, remote attacker can create a local account with full privilege level 15, the highest administrative tier on the device.
In the observed attacks, CVE-2023-20198 was chained with a second flaw, CVE-2023-20273 (a command injection rated CVSS 7.2), which the attacker used to elevate to root and write a persistent implant to the file system. The first bug got them in; the second let them stay.
Timeline and impact
Cisco published advisory cisco-sa-iosxe-webui-privesc-j22SaA4z on October 16, 2023, warning of active exploitation. Telemetry from external researchers moved fast: scans on October 18 counted roughly 22,000 implanted devices, and later counts remained in the tens of thousands. CISA added CVE-2023-20198 to its Known Exploited Vulnerabilities catalog immediately. The initial release lacked a patch; Cisco provided a workaround first and then began shipping fixed IOS XE images and Software Maintenance Upgrades over the following days.
The blast radius was enormous because IOS XE runs on a huge portion of Cisco's enterprise and service-provider routing and switching lineup, and many operators had inadvertently left the web UI reachable from the internet.
Root cause
The web UI is a management application bundled with IOS XE. The privilege escalation stems from insufficient authorization enforcement on certain web UI endpoints: a request could reach functionality that provisions a local user account without the request being properly authenticated. In effect, an anonymous HTTP request to the management interface could drive the device to create a privilege-15 account chosen by the attacker.
A safe illustration: the attacker sends a crafted request to a management endpoint, and instead of rejecting the anonymous caller, the device processes it as a legitimate administrative action and adds a new level-15 user. With that account, the attacker authenticates normally, then uses the chained command injection to run commands as root and drop an implant. No memory corruption or exotic exploit primitive is required; the core failure is a missing access-control check on an exposed management surface.
This is the same structural weakness seen across network appliances in recent years: a powerful web management interface, reachable over the network, with an authorization gap that turns "manage the device" into "own the device."
Detection
- Determine whether the HTTP or HTTPS Server feature is enabled by checking for
ip http serverorip http secure-serverin the running configuration. - Identify which devices expose that interface to untrusted networks. Internet-reachable management planes are the top priority.
- Hunt for unexpected local accounts, especially newly added privilege-15 users you cannot attribute to a change record.
- Use Cisco's published indicators: check for the implant by issuing the documented web-request check against the device, and review logs for unexpected user-creation and configuration events around mid-October 2023.
Remediation and fixed releases
Apply a fixed IOS XE release. Cisco shipped patched images across the affected trains, including the 17.9, 17.6, 17.3, and 16.12 families, along with Software Maintenance Upgrades for faster deployment; consult the Cisco advisory for the exact fixed build matching your train.
The single most effective mitigation, and Cisco's primary guidance, is to disable the HTTP Server feature on any device that does not strictly require it, using no ip http server and no ip http secure-server. Where the web UI is genuinely needed, restrict it with access control lists so only trusted management hosts can reach it, and never expose it to the internet. After remediation, investigate any device that was exposed, because the implant and the attacker-created account persist independently of the vulnerability.
How Safeguard helps
CVE-2023-20198 is device firmware rather than an application dependency, but it embodies the pattern supply chain security exists to catch: a critical, actively exploited, fix-available flaw in a component that drifted out of an organization's visibility. Safeguard builds a continuous inventory of the components in your build and deployment artifacts and correlates every one against the CISA KEV catalog and exploitation signals, so anything tied to a known-exploited advisory is elevated instead of lost in a list of thousands. For the workloads you do ship as images, container scanning surfaces exposed management stacks and end-of-life bases, software composition analysis applies that KEV-aware ranking to the dependencies you own, and Griffin AI turns a dense vendor advisory into an actionable summary of exposure and fix path. If you want to see how that prioritization compares against your current tooling, the Safeguard comparisons break it down.
A fix-available, actively exploited CVE should never be the gap an attacker walks through. Get started free or read the documentation.
Frequently Asked Questions
What is CVE-2023-20198?
It is an unauthenticated privilege escalation vulnerability in the Cisco IOS XE Web UI. A remote attacker with access to the web management interface can create a local account with full privilege level 15, giving them administrative control of the device. Cisco rates it CVSS 10.0 (Critical).
How was CVE-2023-20198 exploited?
Attackers used CVE-2023-20198 to create a privileged local account, then chained it with CVE-2023-20273 (a command injection) to elevate to root and install a persistent implant. Researchers observed roughly 22,000 implanted devices within days of the October 16, 2023 disclosure.
Which Cisco IOS XE versions are affected and how do I fix it?
The vulnerability affects physical and virtual IOS XE devices with the HTTP or HTTPS Server feature enabled. Cisco released fixed images across the 17.9, 17.6, 17.3, and 16.12 trains plus Software Maintenance Upgrades. Apply the fixed release for your train and, wherever possible, disable the HTTP Server feature entirely.
How do I know if a device was already compromised?
Check for unexplained privilege-15 local accounts and use Cisco's published web-request check to detect the implant, then review configuration and authentication logs for unexpected user creation around mid-October 2023. Because the implant and rogue account persist after patching, any previously exposed device should be investigated, not just upgraded.