Safeguard.sh
Zero-Day Exploits

Cisco IOS XE CVE-2023-20198: The Zero-Day That Compromised Tens of Thousands of Network Devices

CVE-2023-20198 in Cisco IOS XE allowed unauthenticated attackers to create admin accounts on network devices. Over 40,000 devices were compromised before Cisco shipped a fix.

Shadab Khan
Security Engineer
6 min read

In October 2023, Cisco disclosed CVE-2023-20198, a critical zero-day vulnerability in the web UI of IOS XE, the operating system running on the majority of Cisco's enterprise networking equipment. The vulnerability allowed unauthenticated attackers to create administrator-level accounts on affected devices. Within days, security researchers identified over 40,000 compromised devices worldwide. The attackers had deployed a Lua-based implant that provided persistent backdoor access. It was one of the largest mass compromises of network infrastructure ever observed.

The Vulnerability Chain

The attack involved two vulnerabilities:

CVE-2023-20198 (CVSS 10.0): An unauthenticated privilege escalation vulnerability in the web UI of IOS XE. An attacker could use this to create a new user account with privilege level 15 (full administrative access) without any authentication.

CVE-2023-20273 (CVSS 7.2): A command injection vulnerability that allowed an authenticated user to elevate from the web UI context to root access on the underlying Linux system.

The attackers chained these vulnerabilities:

  1. Exploit CVE-2023-20198 to create an admin account
  2. Use the admin account to authenticate to the web UI
  3. Exploit CVE-2023-20273 to escape to root
  4. Deploy a Lua-based implant on the device

The Implant

The Lua-based implant was particularly notable for its design:

  • Deployed at the path /usr/binos/conf/nginx-conf/cisco_service.conf
  • Accessible via a specific HTTP request to the device's web server
  • Required an Authorization header containing a specific 18-character hexadecimal string
  • Provided the ability to execute arbitrary commands at the system level
  • Did not survive device reboot (non-persistent)

The non-persistence aspect initially seemed like good news — a reboot would clear the implant. But attackers could simply re-exploit the vulnerability to redeploy it. And rebooting a core network device in a production environment isn't trivial.

Security researchers at Censys, Shadowserver, and VulnCheck tracked the number of compromised devices in real-time. The count peaked at over 40,000 compromised IOS XE devices within days of the initial disclosure.

The Scale of Impact

Cisco IOS XE runs on a massive range of networking equipment:

  • Enterprise switches (Catalyst 3000, 9000 series)
  • Enterprise routers (ISR 1000, 4000 series, ASR 1000 series)
  • Wireless controllers
  • Industrial networking equipment

Any of these devices with the web UI enabled and accessible from the internet was vulnerable. Shodan scans before the disclosure showed over 80,000 IOS XE web interfaces exposed to the internet.

The compromised devices spanned every industry and geography. Internet service providers, enterprises, government agencies, healthcare organizations, and educational institutions all appeared in the list of affected systems.

The Response Chaos

The response to CVE-2023-20198 was chaotic for several reasons:

No patch available at disclosure: Cisco disclosed the vulnerability on October 16, 2023, but didn't have a patch available until October 22. During this week, the only mitigation was to disable the web UI — which removed management access for many administrators.

Indicator of compromise confusion: The initial method for detecting the implant involved checking for a specific HTTP response. But on October 21, the attackers updated their implant to evade this detection method. The compromised device count appeared to drop dramatically, leading some to believe devices were being cleaned up when in reality the implant was just harder to detect.

Multiple threat actors: Analysis of the compromised devices revealed different implant variants, suggesting multiple threat actors were exploiting the vulnerability independently.

Reboot debate: Security guidance conflicted on whether to reboot compromised devices. Rebooting cleared the implant but also cleared forensic evidence. Without a patch, the device could be re-compromised immediately after reboot.

Who Was Behind It

As of late 2023, the identity of the primary threat actor behind the CVE-2023-20198 campaign had not been definitively attributed. However, several indicators pointed toward a sophisticated, likely state-sponsored operation:

  • The implant was purpose-built for IOS XE, suggesting deep knowledge of Cisco's platform
  • The scale of exploitation was consistent with broad intelligence collection
  • The command-and-control infrastructure showed careful operational security
  • The attackers updated the implant to evade detection, demonstrating active monitoring of the security community's response

Lessons From the IOS XE Campaign

1. Network Device Web UIs Should Not Be Internet-Facing

This is straightforward guidance that thousands of organizations ignored. Network device management interfaces should only be accessible from dedicated management networks. There is almost never a legitimate reason for a router or switch's web UI to be accessible from the public internet.

2. Network Devices Need Monitoring Too

Most organizations have no visibility into what's running on their network devices. They don't run EDR on switches and routers. They don't monitor file integrity on network device filesystems. They don't analyze HTTP traffic to device management interfaces.

This lack of monitoring is why 40,000 devices could be compromised before anyone noticed.

3. Have a Playbook for Network Device Compromises

When CVE-2023-20198 was disclosed, most organizations had no incident response playbook for compromised network devices. They had procedures for compromised servers and workstations, but not for routers and switches. Given the frequency of network device vulnerabilities, this gap needs to be addressed.

4. Configuration Management for Network Devices

Organizations should maintain known-good configurations for all network devices and regularly compare running configurations against the baseline. This would have detected the unauthorized admin accounts created by the CVE-2023-20198 exploit.

The Broader Network Infrastructure Challenge

CVE-2023-20198 was not the first mass compromise of network infrastructure, and it won't be the last:

  • VPNFilter (2018): Russian state-sponsored malware compromised over 500,000 network devices
  • SolarWinds/Sunburst (2020): Network monitoring infrastructure compromised
  • Hafnium/ProxyLogon (2021): Mass compromise of Exchange servers (network edge)
  • Fortinet campaigns (2022-2023): Repeated exploitation of firewall vulnerabilities

Network infrastructure is the foundation of organizational security, yet it receives less security attention than the systems it protects. This asymmetry creates opportunities that adversaries have shown they're eager to exploit.

How Safeguard.sh Helps

Safeguard.sh provides the infrastructure visibility that was critically absent during the IOS XE campaign:

  • Network Device Inventory: Safeguard.sh catalogs all network infrastructure, including firmware versions, enabled features, and exposed interfaces.
  • Zero-Day Response: When critical vulnerabilities like CVE-2023-20198 are disclosed, Safeguard.sh immediately identifies affected devices and their exposure level.
  • Configuration Monitoring: Safeguard.sh tracks configuration changes on network devices, detecting unauthorized modifications like the admin accounts created during the IOS XE campaign.
  • Exposure Analysis: Safeguard.sh identifies internet-exposed management interfaces, enabling proactive risk reduction before the next zero-day drops.

The IOS XE campaign demonstrated that network infrastructure is an underprotected attack surface at a massive scale. Safeguard.sh ensures you have visibility into every device, every version, and every exposure in your network.

CiscoCVE-2023-20198IOS XEZero-Day
Back to all articles

More on #Cisco

View all →
Industry Analysis

BlackTech Firmware Supply Chain Operations

6 min read
Ransomware

Akira Ransomware: Exploiting VPN Vulnerabilities for Supply Chain Entry

7 min read

Related articles in Zero-Day Exploits

Zero-Day Exploits

Citrix Bleed CVE-2023-4966: Session Token Theft That Bypassed Every Authentication Control

Citrix Bleed allowed attackers to steal session tokens from NetScaler ADC, bypassing MFA and all authentication controls. LockBit ransomware used it to devastating effect.

November 8, 2023Read
Zero-Day Exploits

ProxyNotShell CVE-2022-41040: Microsoft Exchange Under Fire Again

ProxyNotShell chained two Exchange vulnerabilities for authenticated RCE, exploited in the wild for weeks before Microsoft delivered a patch. Exchange admins were running out of patience.

September 30, 2022Read
Zero-Day Exploits

Zimbra CVE-2022-37042: Authentication Bypass in a Widely Used Email Platform

CVE-2022-37042 allowed unauthenticated attackers to upload web shells to Zimbra email servers. Over 1,000 servers were compromised before most admins knew about it.

August 10, 2022Read

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.