CVE-2023-20198
Confirmed PUBLISHEDCisco is providing an update for the ongoing investigation into observed exploitation of the web UI feature in Cisco IOS XE Software. We are...
Recommended Action
Prioritize immediate patching and validate internet-facing exposure. Monitor for matching exploitation attempts in your environment.
At a Glance
Cisco is providing an update for the ongoing investigation into observed exploitation of the web UI feature in Cisco IOS XE Software. We are updating the list of fixed releases and adding the Software Checker. Our investigation has determined that the actors exploited two previously unknown issues. The attacker first exploited CVE-2023-20198 to gain initial access and issued a privilege 15 command to create a local user and password combination. This allowed the user to log in with normal user access. The attacker then exploited another component of the web UI feature, leveraging the new local user to elevate privilege to root and write the implant to the file system. Cisco has assigned CVE-2023-20273 to this issue. CVE-2023-20198 has been assigned a CVSS Score of 10.0. CVE-2023-20273 has been assigned a CVSS Score of 7.2. Both of these CVEs are being tracked by CSCwh87343.
- CVE Published
- Oct 16, 2023
- Exploitation Reported
- Oct 16, 2023
- CVSS
- 10.0 Critical
- EPSS
- 99.6%
Affected Versions
186 version rows · page 2 of 8
| Vendor | Product | Version | Status |
|---|---|---|---|
| Cisco |
Cisco IOS XE Software
|
16.5.3 |
Affected |
| Cisco |
Cisco IOS XE Software
|
16.6.1 |
Affected |
| Cisco |
Cisco IOS XE Software
|
16.6.2 |
Affected |
| Cisco |
Cisco IOS XE Software
|
16.6.3 |
Affected |
| Cisco |
Cisco IOS XE Software
|
16.6.4 |
Affected |
| Cisco |
Cisco IOS XE Software
|
16.6.5 |
Affected |
| Cisco |
Cisco IOS XE Software
|
16.6.4a |
Affected |
| Cisco |
Cisco IOS XE Software
|
16.6.5a |
Affected |
| Cisco |
Cisco IOS XE Software
|
16.6.6 |
Affected |
| Cisco |
Cisco IOS XE Software
|
16.6.7 |
Affected |
| Cisco |
Cisco IOS XE Software
|
16.6.8 |
Affected |
| Cisco |
Cisco IOS XE Software
|
16.6.9 |
Affected |
| Cisco |
Cisco IOS XE Software
|
16.6.10 |
Affected |
| Cisco |
Cisco IOS XE Software
|
16.7.1 |
Affected |
| Cisco |
Cisco IOS XE Software
|
16.7.1a |
Affected |
| Cisco |
Cisco IOS XE Software
|
16.7.1b |
Affected |
| Cisco |
Cisco IOS XE Software
|
16.7.2 |
Affected |
| Cisco |
Cisco IOS XE Software
|
16.7.3 |
Affected |
| Cisco |
Cisco IOS XE Software
|
16.7.4 |
Affected |
| Cisco |
Cisco IOS XE Software
|
16.8.1 |
Affected |
| Cisco |
Cisco IOS XE Software
|
16.8.1a |
Affected |
| Cisco |
Cisco IOS XE Software
|
16.8.1b |
Affected |
| Cisco |
Cisco IOS XE Software
|
16.8.1s |
Affected |
| Cisco |
Cisco IOS XE Software
|
16.8.1c |
Affected |
| Cisco |
Cisco IOS XE Software
|
16.8.1d |
Affected |
CVE References
- cisco-sa-iosxe-webui-privesc-j22SaA4z sec.cloudapps.cisco.com · CVE Record https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurity...
Recommended Actions
- Prioritize immediate patching and validate internet-facing exposure. Monitor for matching exploitation attempts in your environment.
- Review sensor telemetry for request paths, attacker IPs, and payload patterns that may inform detection and exposure validation.
- Check enrichment artifacts for scanner coverage and available PoCs before rolling remediation validation.
- Use the Pro API to automate enrichment, telemetry, and workflow delivery for VM, SOC, and CTI pipelines.
Known Exploited Vulnerability Sources
Catalogues that list this CVE as a known exploited vulnerability.
Per-source evidence links for KEV attestations are available through the KEVIntel Pro API.
Learn about Pro API access| Source | Added |
|---|---|
| CISA First | 2023-10-16 00:00 UTC |
| The Shadowserver | 2026-06-01 00:00 UTC |
| Tenable Blog | 2026-06-02 14:20 UTC |
| KEVIntel | 2026-07-07 13:59 UTC |
Operational indicators for this CVE are listed on the Detection tab.
Observed Exploitation Attempts
Exploitation attempts against this vulnerability observed first-hand by KEVIntel private honeypots over the last 30 days.
- Attempts Observed
- 56
- Unique Attacker IPs
- 10
- Attacker Countries
- 🇩🇪 🇪🇪 🇬🇧 🇮🇳 🇳🇱 🇸🇨 🇸🇬 🇺🇸 🇻🇳
- Sensors Observed
- 14
Exploitation Attempts Over the Last 39 Days
First observed (all time) 2026-06-12 00:33 UTC · Last observed 2026-07-19 02:09 UTC
See more exploitation detail
- Pro — sensor software/region breakdown and 24h/7d window summaries.
- Enterprise — raw attacker IPs, request paths, User-Agents, and payloads.
Indicators of Compromise (IoCs)
Attacker IP IoCs observed in KEVIntel sensors are available to Pro and Enterprise accounts on the Detection tab and through the Pro API.
Learn about Pro API accessObserved Detection Signals (30d)
Aggregate counts from KEVIntel sensor telemetry for this CVE.
- Distinct request paths
- 4
- Distinct User-Agents
- 3
The specific request paths and User-Agents attackers are using are available on Pro and Enterprise plans.
Scanner Artifacts
Nuclei and Metasploit references linked to this CVE.
| Scanner | Reference | Detected |
|---|---|---|
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-20198.yaml | Apr 25, 2025 |
| Metasploit | https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/cisco_ios_xe_rce.rb | Apr 28, 2025 |
Virtual Patch
Compensating WAF rules to help reduce exposure to this CVE. Rule content and deployable vendor exports are available with KEVIntel Enterprise.
KEVIntel does not currently have a virtual patch for this CVE. When available, KEVIntel virtual patches ship as deployable ModSecurity, Cloudflare, and AWS WAF rules.
Enterprise feature. Virtual patch rule content and deployable vendor exports (ModSecurity, Cloudflare, AWS WAF) are available to KEVIntel Enterprise users.
CVSS Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Exploitation Status
Exploited in the wild
Recorded 2023-10-16 00:00:00 UTC · CISA
Active exploitation observed
Recorded 2026-06-12 00:33:04 UTC · KEVIntel sensor
Proof of concept available
Recorded 2023-10-17 07:35:50 UTC · GitHub
Weaknesses (CWE)
-
Unprotected Alternate Channel
Scanner Integrations
| Scanner | Reference | Detected |
|---|---|---|
| Metasploit | https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/cisco_ios_xe_rce.rb | Apr 28, 2025 |
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-20198.yaml | Apr 25, 2025 |
| Nessus | https://www.tenable.com/plugins/nessus/184452 | Nov 06, 2023 |
Recent Mentions
Tenable Blog · May 27, 2026
Tenable Research has developed a graph-based model linking 600+ threat groups to real-world customer exposures. It reveals which vulnerabilities sit at the intersection of severity, active exploitation, and organizational risk.Key takeawaysThe "patch everything" strategy is dead: Vulnerability prioritization based on exploitation risk offers a path forward. A directed graph model linking 600+ threat actors to vulnerabilities in 7,800 customer environments reveals that 68% of organizations carry at least one CVE previously exploited by a named adversary, and 321 tracked threat groups can reach at least one customer environment through an active vulnerability. Prevalence of "Elite Arsenal" CVEs requires immediate attention: The 242 "Elite Arsenal" CVEs — those meeting all three criteria of critical VPR (≥ 9), CISA KEV listing, and documented threat group exploitation — are nearly universally present across the studied customer base, with 241 of 242 actively detected. More than half are five or more years old, and 78% of the persistently exploited core are simultaneously weaponized by nation-state APTs, commodity malware operators, and ransomware gangs. Non-CVE exposures are universally dangerous: Non-CVE exposures, including misconfigurations, weak credentials, and end-of-life software, are present in virtually 100% of studied organizations, with 60% carrying at least one that maps to a tracked threat actor's preferred techniques. Preliminary modeling suggests these exposures may confer more breach risk than CVE-linked findings, yet no industry-standard scoring infrastructure exists to prioritize them.While the first two posts in this blog series documented the accelerating vulnerability flood and the widening remediation gap, today we answer the outstanding question: Where do these forces actually collide inside customer environments? Using a directed graph model that maps more than 600 tracked threat groups to vulnerabilities observed across 7,800 organizations,...
TheHackerNews · Jun 24, 2025
The Canadian Centre for Cyber Security and the U.S. Federal Bureau of Investigation (FBI) have issued an advisory warning of cyber attacks mounted by the China-linked Salt Typhoon actors to breach major global telecommunications providers as part of a cyber espionage campaign. The attackers exploited a critical Cisco IOS XE software (CVE-2023-20198, CVSS score: 10.0) to access configuration
Tenable Blog · May 09, 2025
In this special edition of the Cybersecurity Snapshot, we bring you some of the most valuable guidance offered by the U.K. National Cyber Security Centre (NCSC) in the past 18 months. Check out best practices, recommendations and insights on protecting your AI systems, APIs and mobile devices, as well as on how to prep for post-quantum cryptography, and more.In case you missed it, here are six NCSC recommendations to help your organization fine-tune its cybersecurity strategy and operations.1 - How to migrate to quantum-resistant cryptographyIs your organization planning to adopt cryptography that can resist attacks from future quantum computers? If so, you might want to check out the NCSC’s “Timelines for migration to post-quantum (PQC) cryptography,” a white paper aimed at helping organizations plan their migration to quantum-resistant cryptography.“Migration to PQC can be viewed as any large technology transition. In the guidance, we describe the key steps in such a transition, and illustrate some of the cryptography and PQC-specific elements required at each stage of the programme,” reads a companion blog. At a high-level, the NCSC proposes these three key milestones:By 2028Define the organization’s migration goals.Assess which services and infrastructure need to have their cryptography upgraded to PQC.Draft an initial migration plan that includes, for example, the highest priority migration steps; the necessary investment; and what you’ll need from your suppliers.By 2031Execute the first, most important PQC migration steps.Refine the PQC migration plan to ensure the roadmap will be fulfilled.Ensure your infrastructure is ready to support PQC.By 2035Complete your PQC migration.Organizations need to migrate to PQC because quantum computers will be able to decrypt data protected with today’s public-key cryptographic algorithms. These powerful quantum computers are expected to become generally available at some point between 2030 and 2040.The U.S. National...
Potential Proof of Concepts
These PoCs are unverified and could contain malware. Use at your own risk.
github · Created 2024-08-26 08:16:28 UTC · 0 stars
github · Created 2024-04-25 06:59:53 UTC · 38 stars
CVE-2023-20198-RCE, support adding/deleting users and executing cli commands/system commands.
github · Created 2023-12-11 10:41:48 UTC · 2 stars
Cisco CVE-2023-20198
github · Created 2023-11-16 16:39:38 UTC · 45 stars
CVE-2023-20198 Exploit PoC
github · Created 2023-11-03 13:05:59 UTC · 7 stars
An Exploitation script developed to exploit the CVE-2023-20198 Cisco zero day vulnerability on their IOS routers
github · Created 2023-10-25 21:15:58 UTC · 1 stars
github · Created 2023-10-25 21:02:22 UTC · 0 stars
github · Created 2023-10-25 07:13:59 UTC · 2 stars
github · Created 2023-10-24 09:36:37 UTC · 1 stars
Check a target IP for CVE-2023-20198
github · Created 2023-10-23 19:25:29 UTC · 30 stars
This is a webshell fingerprinting scanner designed to identify implants on Cisco IOS XE WebUI's affected by CVE-2023-20198 and CVE-2023-20273
github · Created 2023-10-23 16:04:23 UTC · 8 stars
A PoC for CVE 2023-20198
github · Created 2023-10-18 07:53:29 UTC · 0 stars
Checker for CVE-2023-20198 , Not a full POC Just checks the implementation and detects if hex is in response or not
github · Created 2023-10-17 22:41:14 UTC · 30 stars
CVE-2023-20198 & 0Day Implant Scanner
github · Created 2023-10-17 15:44:01 UTC · 1 stars
cisco-CVE-2023-20198-tester
github · Created 2023-10-17 08:00:18 UTC · 18 stars
CVE-2023-20198 Checkscript
github · Created 2023-10-17 07:35:50 UTC · 0 stars
nuclei · Created Unknown
Timeline
Key exploitation, disclosure, scanner coverage, and KEV attestation events for this CVE.
-
00:33 UTC about 1 month ago00:33 UTC · about 1 month ago
Observed by KEVIntel sensors
Evidence-backed exploitation signal
-
00:33 UTC about 1 month ago00:33 UTC · about 1 month ago
Indicators of compromise added (10)
Indicators of compromise recorded
-
14:20 UTC about 2 months ago14:20 UTC · about 2 months ago
KEV confirmed by Tenable Blog
Exploitation attested by an external source
-
00:00 UTC about 2 months ago00:00 UTC · about 2 months ago
KEV confirmed by The Shadowserver
Exploitation attested by an external source
-
15:02 UTC about 1 year ago15:02 UTC · about 1 year ago
Metasploit module available
Exploit module available
-
00:00 UTC about 1 year ago00:00 UTC · about 1 year ago
Nuclei template available
Scanner coverage available
-
18:46 UTC over 2 years ago18:46 UTC · over 2 years ago
Nessus plugin available
Scanner coverage available
-
07:35 UTC almost 3 years ago07:35 UTC · almost 3 years ago
Public PoC available
Public proof-of-concept code published
-
15:12 UTC almost 3 years ago15:12 UTC · almost 3 years ago
CVE published
Vulnerability disclosed publicly
-
00:00 UTC almost 3 years ago00:00 UTC · almost 3 years ago
Added to CISA KEV
Listed in the CISA Known Exploited Vulnerabilities catalog
-
18:47 UTC over 3 years ago18:47 UTC · over 3 years ago
CVE ID reserved
Identifier reserved by the CNA
Automate This Intelligence with the Pro API
Confidence scoring, exploit status, sensor telemetry, PoCs, scanner integrations, mentions, and tags are available programmatically for VM, SOC, and CTI workflows.
Pro API Example
GET /api/v2/pro/kevs/CVE-2023-20198
{
"cve_id": "CVE-2023-20198",
"title": "Cisco is providing an update for the ongoing investigation into observed expl...",
"affected_vendor": "Cisco",
"affected_product": "Cisco IOS XE Software",
"affected_versions": [
{ "vendor": "...", "product": "...", "status": "affected", "display_label": "..." }
],
"confidence": "Confirmed",
"cvss_score": 10.0,
"epss_score": 0.99571,
"exploit_status": {
"exploited_in_the_wild": true,
"active_exploitation_observed": true
},
"sensor_telemetry": { "...": "Pro API fields" },
"proof_of_concepts": [ "..." ],
"scanner_integrations": [ "..." ]
}