CVE-2023-20198 Explained: Cisco IOS XE Web UI Zero-Day and the 50,000-Device Compromise
A CVSS 10.0 unauthenticated privilege escalation vulnerability in Cisco IOS XE's web management interface. Over 50,000 devices compromised within 48 hours. Chained with CVE-2023-20273 to deploy persistent implants.
Founder & Cybersecurity Evangelist
CVE-2023-20198 is a maximum-severity (CVSS 10.0) privilege escalation vulnerability in the web UI feature of Cisco IOS XE software. An unauthenticated remote attacker can exploit this vulnerability to create a new account with privilege level 15 (full administrative access) on the target device. Cisco confirmed active exploitation as a zero-day before publishing any advisory on October 16, 2023.
Within 48 hours of public awareness, security researchers observed over 50,000 Cisco IOS XE devices compromised globally. Attackers chained CVE-2023-20198 with a second vulnerability, CVE-2023-20273, to deploy a persistent Lua-based implant that survived reboots and provided backdoor access independent of the created administrator account.
The Two-CVE Chain: Account Creation to Persistent Implant
CVE-2023-20198 affects Cisco IOS XE devices — including switches, routers, and wireless controllers — where the HTTP Server feature (web management interface) is enabled and accessible. The vulnerability allows an unauthenticated attacker to send a crafted HTTP request to the web UI that triggers a code path creating a new local user account with privilege level 15.
Privilege level 15 in IOS XE is equivalent to root in Unix systems — full enable mode access with unrestricted configuration rights. The created account is functional immediately upon creation with no email confirmation, MFA challenge, or approval workflow.
With the newly created admin account, attackers then exploited CVE-2023-20273 — a command injection vulnerability in the web UI's diagnostic tools — to execute arbitrary commands as root on the IOS XE operating system. This second vulnerability elevated access from IOS-level administrator to the underlying Linux kernel running IOS XE.
The final stage: deployment of a Lua-based implant injected into the Nginx web server process. The implant accepted commands through specially crafted HTTP requests matching a specific URL pattern, providing persistent backdoor access. The implant was designed to appear in health check responses as inactive to evade detection — and was updated by attackers partway through the exploitation campaign specifically to hide from newly published detection queries.
Identify exposed IOS XE web UI
Scan for Cisco IOS XE devices with the HTTP Server feature enabled on port 80 or 443. Exposed devices are detectable via Shodan, Censys, and similar internet scan databases. Cisco estimates tens of thousands of IOS XE web UIs are internet-exposed.
Exploit CVE-2023-20198 to create admin account
Send a crafted unauthenticated HTTP request to the web management interface that triggers the account creation vulnerability, establishing a new privilege level 15 local user.
Authenticate with new account
Log into the device using the newly created administrator account. Full IOS XE configuration access is immediately available.
Exploit CVE-2023-20273 for root execution
Use the authenticated web UI to trigger CVE-2023-20273 command injection, escaping from IOS XE privilege level to the underlying Linux kernel with root privileges.
Deploy Lua implant
Inject a Lua-based malicious plugin into the Nginx web server process. The implant survives device reboots and accepts commands through HTTP requests matching a specific URI pattern.
Maintain stealth
The implant was updated during the campaign to hide from detection queries that Cisco and researchers published. This iterative evasion suggests active operational management of the compromised device fleet.
Why Network Infrastructure Vulnerabilities Are Particularly Severe
The 50,000-device compromise scale of CVE-2023-20198 is striking, but the deeper concern is what network infrastructure access enables that endpoint compromise does not.
A compromised IOS XE switch or router sits in the data path for all traffic traversing it. An attacker with root access to a network device can: capture plaintext traffic (including credentials on non-encrypted protocols), perform man-in-the-middle attacks against encrypted sessions by intercepting TLS on embedded inspection hardware, manipulate routing tables to redirect traffic flows, create persistent tunnels that bypass security monitoring, and disable port security and 802.1X controls that restrict device access to the network.
Detection is harder than for endpoint compromise. Network device agents are uncommon. EDR visibility does not extend to IOS XE. Syslog and SNMP monitoring provides limited behavioral telemetry compared to endpoint logging. The Lua implant deployed in CVE-2023-20198 exploitation specifically targeted the HTTP server process — a legitimate component — making process-based detection difficult.
The attacker's decision to update the implant mid-campaign to evade published detection methods indicates a sophisticated operator with ongoing operational awareness — monitoring security industry response and adapting in near-real-time.
“The scale of this attack is unprecedented. Over 50,000 IOS XE devices were compromised within 48 hours of public awareness, with a persistent implant designed to survive remediation.”
— VulnCheck Security Research, October 2023
Detection and Remediation for CVE-2023-20198
Cisco released patches in October and November 2023. Detection and remediation require multiple steps due to the persistence mechanism.
Apply Cisco IOS XE security patches immediately
Update to the patched IOS XE versions published in Cisco's advisory. Check the Cisco Software Checker tool for your specific device and software train. Both CVE-2023-20198 and CVE-2023-20273 are addressed in the same patch cycle.
Disable the HTTP Server feature immediately if unused
Run: no ip http server and no ip http secure-server in global configuration mode to disable the web UI entirely. The web UI is required for some management workflows but should be disabled if not actively used. This eliminates both CVEs' attack surface.
Audit for unauthorized local accounts
Run: show running-config | section username to display all local user accounts. Remove any accounts not in your authorized baseline. The implanted accounts typically use non-standard usernames.
Check for implant presence
The implant can be detected by querying: curl -k -X POST https://[device-ip]/webui/logoutconfirm.html?logon_hash=1. A hexadecimal string in the response indicates the implant is present. Cisco has also published specific Snort and YARA signatures for detection.
Restrict web UI access by IP
If the web UI must remain enabled, apply an access list restricting management interface access to only trusted management station IPs. IOS XE supports ip http access-class for this purpose. Never expose the management interface directly to the internet.
The bottom line
CVE-2023-20198 is a reminder that network infrastructure is attack surface — not just the medium through which attacks traverse. Cisco IOS XE devices are not passive conduits. They are computers running an operating system, and a root-level compromise of that operating system provides capabilities that sit above, below, and around traditional endpoint security controls.
Fifty thousand compromised devices in 48 hours is an extraordinary exploitation velocity. The network operators who saw this impact fastest were those who had exposed their IOS XE web management interface directly to the internet — a configuration that provides no operational benefit that could justify the risk and should be treated as a policy violation, not just a best practice suggestion.
The durable lessons: disable management interfaces that are not operationally required, restrict those that are required to trusted source IPs only, patch network device operating systems with the same urgency as servers and endpoints, and build monitoring capability that extends below the endpoint layer to the network infrastructure itself.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.