On October 16, 2023, Cisco's Talos intelligence team disclosed that a critical zero-day vulnerability in the web UI feature of Cisco IOS XE Software was being actively exploited. CVE-2023-20198, rated CVSS 10.0, allowed unauthenticated remote attackers to create privileged accounts on affected devices. Within days, security researchers confirmed that over 40,000 Cisco devices worldwide had been compromised with a malicious implant.
The Vulnerability Chain
The attack actually involved two vulnerabilities chained together:
CVE-2023-20198 (CVSS 10.0): A privilege escalation vulnerability in the web UI feature of IOS XE. An unauthenticated attacker can create an account with privilege level 15 (full administrative access) on affected devices. This vulnerability exists when the HTTP/HTTPS server feature is enabled.
CVE-2023-20273 (CVSS 7.2): A command injection vulnerability in the web UI that allows an authenticated user to inject commands with root privileges. This was used after CVE-2023-20198 to deploy the implant.
The attack chain: exploit CVE-2023-20198 to create an admin account, authenticate with that account, then exploit CVE-2023-20273 to deploy a Lua-based implant on the device.
The Implant
The implant deployed on compromised devices was a Lua-based web shell accessible through the device's web server. When an attacker sends a specific HTTP request to a compromised device with a particular Authorization header value, the implant executes arbitrary commands at the system level.
Security researchers published a simple check: sending a specific HTTP request to a device would reveal whether the implant was present based on the response. This allowed rapid scanning of internet-facing IOS XE devices.
The Shadowserver Foundation, Censys, and LeakIX all began scanning and tracking affected devices. The initial numbers were alarming:
- October 17: ~10,000 devices confirmed implanted
- October 18: ~30,000 devices
- October 19: ~40,000+ devices
- October 20: Numbers suddenly dropped to ~1,200
The dramatic drop on October 20 confused researchers initially. It turned out that the threat actors had updated the implant to require an additional HTTP header for authentication, making the original detection method ineffective. The devices were still compromised—just harder to detect.
Fox-IT (NCC Group) subsequently developed a new detection method that revealed the updated implant, confirming that most of the original 40,000+ devices remained compromised.
Scale and Impact
IOS XE runs on a massive range of Cisco hardware:
- Enterprise switches (Catalyst 3000, 9000 series)
- Routers (ISR, ASR, Catalyst 8000 series)
- Wireless controllers
- Various other network infrastructure
Any device running IOS XE with the HTTP/HTTPS server feature enabled was vulnerable. This is enabled by default in many configurations and is required for common management features like the web-based configuration interface.
The affected devices weren't consumer routers—they were enterprise and service provider network infrastructure. Compromising these devices gave attackers:
- Complete control of network routing
- Ability to intercept and modify traffic
- Persistent access that survives reboots (depending on the implant variant)
- A foothold for lateral movement into connected networks
Cisco's Response
Cisco's response timeline drew criticism:
October 16: Cisco discloses CVE-2023-20198, recommends disabling the HTTP/HTTPS server feature. No patch available.
October 22: Cisco releases the first fixed software versions.
October 23: Cisco discloses CVE-2023-20273 as the second vulnerability in the chain.
The six-day gap between disclosure and patch availability left organizations with a difficult choice: disable the web UI (breaking legitimate management workflows) or remain vulnerable to active exploitation.
Remediation Challenges
Patching 40,000+ compromised network devices is a massive undertaking:
Patching doesn't remove the implant. Organizations needed to first detect whether their devices were compromised, then remove the implant, then patch to prevent recompromise. Simply applying the patch left existing implants in place.
Network devices are hard to patch. Unlike servers that can be updated with a package manager, network device upgrades often require planned maintenance windows, configuration backups, and careful testing.
Detection was a moving target. The attackers updated the implant to evade detection, requiring researchers to continuously develop new detection methods.
Scope was unclear. Many organizations didn't have accurate inventories of their IOS XE devices, let alone knowledge of which ones had the HTTP server feature enabled.
Lessons for Network Security
Never expose management interfaces to the internet. This is basic network hygiene, but over 40,000 devices had their web UIs accessible from the internet. Management interfaces should be restricted to dedicated management networks or accessed through VPN.
Network device security monitoring is often neglected. Most organizations have extensive logging and monitoring for servers and endpoints but minimal visibility into what's happening on their network devices.
Maintain accurate network device inventories. When CVE-2023-20198 was disclosed, organizations needed to immediately identify all affected devices. Those without accurate inventories were flying blind.
Have a network device incident response plan. Responding to compromised network infrastructure requires different skills and processes than responding to compromised servers.
How Safeguard.sh Helps
Safeguard.sh extends supply chain security to network infrastructure by tracking firmware versions, configurations, and vulnerability status across your network devices. When critical vulnerabilities like CVE-2023-20198 are disclosed, our platform immediately identifies affected devices in your environment and tracks remediation from detection through patching. Safeguard.sh's continuous monitoring catches the gaps that periodic vulnerability scans miss, ensuring that network infrastructure receives the same security attention as your application stack.