NAVANEM
CVE-2023-20198⚡ exploited in the wild

Cisco IOS XE, unauthenticated remote attacker creates privilege-15 account via Web UI

A vulnerability in the web UI feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to create an account on an affected system with privilege level 15 access.

Overview

CVE-2023-20198 is a critical vulnerability in the Web UI feature of Cisco IOS XE Software that allows an unauthenticated, remote attacker to create an account with privilege level 15 (full administrative) access on affected systems. This vulnerability was mass-exploited in October 2023, resulting in the compromise of an estimated 40,000-50,000 devices within approximately 72 hours, making it one of the most rapidly exploited vulnerabilities in recent history.

Technical Details

The vulnerability exists in the IOS XE Web UI, which is enabled via the ip http server or ip http secure-server commands. The Web UI accepts unauthenticated requests to certain endpoints and improperly grants the caller the ability to create a fresh local user account with privilege level 15, the highest administrative access level on Cisco devices.

Once attackers establish this administrative foothold, they can deploy persistence mechanisms. In the October 2023 campaign, attackers leveraged this initial access to install the "BadCandy" implant chain through a secondary vulnerability (CVE-2023-20273). The attack chain required no authentication and could be executed against any Internet-reachable IOS XE device with the Web UI enabled.

IOS XE is deployed across a wide range of Cisco platforms including branch routers, Catalyst switches, and ISR/ASR platforms. The Web UI is enabled by default in many SMB deployments, significantly expanding the attack surface.

Impact

The impact of this vulnerability is severe:

  • Complete device compromise: Attackers gain full administrative control over affected devices
  • Mass exploitation: Approximately 40,000-50,000 devices were compromised within 72 hours during October 2023
  • Persistence capability: Compromised devices received backdoor implants enabling long-term attacker access
  • Network infrastructure risk: Compromised routers and switches can be used for traffic interception, lateral movement, and further attacks

CISA issued Emergency Directive ED-24-01 in response to this threat.

Mitigation

  1. Patch immediately: Update to fixed IOS XE versions per Cisco advisory cisco-sa-iosxe-webui-privesc-j22SaA4z
  2. Disable Web UI: If not required, disable with no ip http server and no ip http secure-server
  3. Restrict access: If Web UI is required, restrict access to trusted management networks only
  4. Verify integrity: Run Cisco's published Web UI integrity check against all devices

Detection

  1. Audit configurations for unknown local accounts: show running-config | include username
  2. Check for unauthorized implants: show platform software iox-service
  3. Review logs for unexpected account creation events
  4. Use Cisco's curl-based proof-of-concept checker to verify device integrity