CVE-2023-20198
BaseFortify
Publication date: 2023-10-16
Last updated on: 2025-10-28
Assigner: Cisco Systems, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rockwellautomation | allen-bradley_stratix_5200_firmware | to 17.12.02 (exc) |
| rockwellautomation | allen-bradley_stratix_5200 | * |
| rockwellautomation | allen-bradley_stratix_5800_firmware | to 17.12.02 (exc) |
| rockwellautomation | allen-bradley_stratix_5800 | * |
| cisco | ios_xe | From 16.12 (inc) to 16.12.10a (exc) |
| cisco | ios_xe | From 17.3 (inc) to 17.3.8a (exc) |
| cisco | ios_xe | From 17.6 (inc) to 17.6.6a (exc) |
| cisco | ios_xe | From 17.9 (inc) to 17.9.4a (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-NVD-CWE-Other | |
| CWE-420 | The product protects a primary channel, but it does not use the same level of protection for an alternate channel. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2023-20198 is a critical vulnerability in the Cisco IOS XE Software Web UI feature that allows an attacker to gain initial unauthorized access by exploiting the web UI when enabled via the 'ip http server' or 'ip http secure-server' commands. The attacker can execute a privilege 15 command to create a local user account with normal user privileges. This local user can then be used to escalate privileges further through another vulnerability (CVE-2023-20273) to gain root access and install persistent implants on the system. The web UI is used for system provisioning, monitoring, and troubleshooting without CLI expertise, and the vulnerability affects releases where this feature is enabled by default. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to gain unauthorized initial access to your Cisco IOS XE device through the web UI, create a local user account, and then escalate privileges to root. This means the attacker can fully control the device, install persistent implants, and potentially disrupt network operations, steal sensitive information, or manipulate system configurations. Because the web UI is often enabled by default, devices may be exposed if not properly secured or updated. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by checking if the web UI feature is enabled via the presence of the commands `ip http server` or `ip http secure-server` in the running configuration. If these commands are present alongside `ip http active-session-modules none` or `ip http secure-active-session-modules none`, the vulnerabilities are not exploitable over HTTP or HTTPS respectively. Indicators of compromise include system log messages such as `%SYS-5-CONFIG_P` with unknown usernames, `%SEC_LOGIN-5-WEBLOGIN_SUCCESS` for successful web UI logins, and `%WEBUI-6-INSTALL_OPERATION_INFO` involving unexpected filenames. Cisco Talos provides a detection command using a specially crafted curl POST request to the `/webui/logoutconfirm.html` endpoint with an authorization header; a hexadecimal string response indicates implant presence. Additionally, Snort IDS rules (IDs 3:50118, 3:62527-3:62529, 3:62541, 3:62542) can detect initial implant injection, interaction, and exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling the HTTP Server feature by issuing the commands `no ip http server` and `no ip http secure-server`, which effectively eliminate the attack vector. If disabling the HTTP Server is not feasible, restrict access to the HTTP Server to trusted networks using access control lists (ACLs), for example, allowing only the 192.168.0.0/24 network. After making configuration changes, save the running configuration to prevent reversion on reload. Cisco has also released free software updates that fix these vulnerabilities, and customers should apply these updates as soon as possible. [1]