CVE-2023-20198 is a critical vulnerability in the web user interface (UI) of Cisco’s IOS XE Software, assigned a CVSS score of 10.0. When the web UI feature is enabled, this flaw allows remote, unauthenticated attackers to create a local user account with privilege level 15 (full administrative access) on affected devices. This unauthorized access enables attackers to take complete control of the compromised system.
The exploitation of CVE-2023-20198 often involves a two-step process. Attackers first leverage this vulnerability to gain initial access and establish a privileged user account. They then exploit a second vulnerability, CVE-2023-20273, to escalate privileges to root and deploy malicious implants on the device.
This vulnerability affects Cisco IOS XE devices with the web UI feature enabled, which is determined by the presence of the ip http server or ip http secure-server commands in the device’s configuration. Notably, Cisco has observed active exploitation of this vulnerability, leading to unauthorized access and potential system compromise.
To mitigate the risk associated with CVE-2023-20198, Cisco recommends disabling the HTTP Server feature on devices exposed to untrusted networks or the internet. This action can be performed by removing the ip http server and ip http secure-server commands from the device’s configuration. Additionally, upgrading to patched versions of IOS XE Software that address this vulnerability is strongly advised.
Added ONYPHE detection
This detection was added on October 21, 2023 in our engine.
