CVE-2023-20198

Published Oct 16, 2023

Last updated a day ago

Overview

AI description

Generated using AI and has not been reviewed by Intruder. May contain errors.

CVE-2023-20198 is a vulnerability found in the web UI feature of Cisco IOS XE Software. It involves improper path validation, which allows attackers to bypass Nginx filtering and access the webui_wsma_http web endpoint without authentication. This access enables execution of arbitrary Cisco IOS commands or configuration changes with Privilege 15. Exploitation of this vulnerability typically involves targeting two specific XML SOAP endpoints: cisco:wsma-exec for command execution and configuration changes, and cisco:wsma-config for tasks like adding new user accounts. Attackers were observed exploiting CVE-2023-20198 to gain initial access, create a local user account, and then leverage another vulnerability (CVE-2023-20273) to escalate privileges to root and install malware. Cisco IOS XE Software runs on various Cisco networking devices, including routers, switches, and wireless controllers.

Description
Cisco is providing an update for the ongoing investigation into observed exploitation of the web UI feature in Cisco IOS XE Software. We are updating the list of fixed releases and adding the Software Checker. Our investigation has determined that the actors exploited two previously unknown issues. The attacker first exploited CVE-2023-20198 to gain initial access and issued a privilege 15 command to create a local user and password combination. This allowed the user to log in with normal user access. The attacker then exploited another component of the web UI feature, leveraging the new local user to elevate privilege to root and write the implant to the file system. Cisco has assigned CVE-2023-20273 to this issue. CVE-2023-20198 has been assigned a CVSS Score of 10.0. CVE-2023-20273 has been assigned a CVSS Score of 7.2. Both of these CVEs are being tracked by CSCwh87343.
Source
psirt@cisco.com
NVD status
Analyzed

Risk scores

CVSS 3.1

Type
Primary
Base score
10
Impact score
6
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Severity
CRITICAL

Known exploits

Data from CISA

Vulnerability name
Cisco IOS XE Web UI Privilege Escalation Vulnerability
Exploit added on
Oct 16, 2023
Exploit action due
Oct 20, 2023
Required action
Verify that instances of Cisco IOS XE Web UI are in compliance with BOD 23-02 and apply mitigations per vendor instructions. For affected products (Cisco IOS XE Web UI exposed to the internet or to untrusted networks), follow vendor instructions to determine if a system may have been compromised and immediately report positive findings to CISA.

Weaknesses

psirt@cisco.com
CWE-420
nvd@nist.gov
NVD-CWE-Other

Social media

Hype score
Not currently trending
  1. Question 2 - Amelia Larson (refresh for new alias) An extremely advanced infiltration codenamed "Salt Typhoon" referencing CVE-2018-0171 and CVE-2023-20198 is threatening Canada's security. This question is far more difficult than previous ones, with three distinct part @NSAGov

    @EnigmaTyphoon

    31 Mar 2025

    35 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. amphetamine is not prescribed in china at most you get 15mg concerta per day; so you guys still got CVE-2018-0171 and CVE-2023-20198 and didn't know how to patch huh? @NSAGov spanking H1B spanking ... the systemic problems remain

    @EnigmaTyphoon

    30 Mar 2025

    103 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. naive same in same out diff reinforced prompt; Fully implement all parts of problem 2: you are analyst whomever and your job is to help prevent Canada from being vulnerable to CVE-2023-20198 and CVE-2023-20273 which are the two zero day exploits behind the "Salt Typhoon" https://

    @EnigmaTyphoon

    27 Mar 2025

    43 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. ok @JustinTrudeau For problem 1, you are insert randomly distributed Canadian name by gender and language spoken, dynamically random, you are analyst whomever and your job is to help prevent Canada from being vulnerable to CVE-2023-20198 and CVE-2023-20273 which are the two zero

    @EnigmaTyphoon

    27 Mar 2025

    3 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. Cisco Vulnerability Exploitation My research indicates that the Salt Typhoon hacking group has been actively exploiting vulnerabilities, specifically CVE-2023-20198 and CVE-2023-20273, in Cisco IOS XE software. These exploits have been used to target telecom providers globally,

    @EnigmaTyphoon

    27 Mar 2025

    45 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. CVE-2023-20198 and CVE-2023-20273.

    @EnigmaTyphoon

    27 Mar 2025

    33 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. Actively exploited CVE : CVE-2023-20198

    @transilienceai

    3 Mar 2025

    16 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  8. A kínai hekkerek újabb amerikai távközlési szolgáltatókat támadtak meg nem frissített Cisco routereken keresztül Egyre komolyabb a fenyegetés, amit a Cisco sebezhetőségei okoznak a globális távközlési szektorban. Cisco routerek Salt Typhoon kiberháború CVE-2023-20198 CVE-…

    @linuxmint_hun

    1 Mar 2025

    19 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. Recorded Future社がCisco IOS XEのCVE-2023-20198を悪用してSalt Typhoonの攻撃が行われたことを報告(ただCisco社公式では未確認)したり、GreyNoise社が活発な攻撃を観測したりということで久しぶりに調査。Shodanで43750台を特定し39676台は現在も公開中で内55%の21714台は脆弱な可能性ありです。 https://t.co/ZkVV8fAiZU

    @nekono_naha

    26 Feb 2025

    2226 Impressions

    4 Retweets

    21 Likes

    11 Bookmarks

    0 Replies

    1 Quote

  10. 🚨 Ongoing attacks linked to the Salt Typhoon group exploit Cisco vulnerabilities CVE-2018-0171 and CVE-2023-20198, targeting telecom sectors. Significant breaches reported. #CiscoSecurity #China #VulnerabilityExploitation link: https://t.co/T2RU9MUNaZ https://t.co/RW7WZeshHE

    @TweetThreatNews

    26 Feb 2025

    59 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. シスコ社ネットワーク機器の脆弱性CVE-2023-20198を110のIPアドレスが積極的に攻撃している。GreyNoise社報告。中国のSalt Typhoon集団による大手電気通信事業者へのハッキングと関連しており、CVE-2018-0171の悪用も見られる。 https://t.co/LRya8zN4EO

    @__kokumoto

    25 Feb 2025

    720 Impressions

    0 Retweets

    5 Likes

    6 Bookmarks

    0 Replies

    0 Quotes

  12. Cisco機器を標的とした攻撃が活発化し、国家支援グループを含む攻撃者が未修正の脆弱性を悪用。 CVE-2023-20198(特権昇格, CVSS 10.0)は110の悪意あるIP(ブルガリア38%、ブラジル27%、シンガポール19%)から攻撃され、攻撃件数は2024年10月以降3倍に増加。 また、7年前のCVE-2018-0171(Smart… https://t.co/PW34ciL9Ne

    @yousukezan

    25 Feb 2025

    2275 Impressions

    2 Retweets

    24 Likes

    8 Bookmarks

    0 Replies

    0 Quotes

  13. 🚨 Exploitation: Salt Typhoon-Linked CVEs 🚨 🔹 CVE-2023-20198 – 110+ IPs (🇧🇬🇧🇷🇸🇬) 🔹 CVE-2018-0171 – Attempts from 🇨🇭🇺🇸https://t.co/4XtqUm2Pds #salttyphoon #cve

    @GreyNoiseIO

    24 Feb 2025

    1007 Impressions

    2 Retweets

    8 Likes

    5 Bookmarks

    0 Replies

    0 Quotes

  14. Actively exploited CVE : CVE-2023-20198

    @transilienceai

    22 Feb 2025

    14 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  15. Actively exploited CVE : CVE-2023-20198

    @transilienceai

    19 Feb 2025

    20 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  16. 🔒 Cyber Alert: Chinese hackers (Salt Typhoon) breached 1,000+ Cisco routers via CVE-2023-20198 & CVE-2023-20273. Targets: U.S. gov, law enforcement, telecoms. Patch IOS XE now! Disable public admin access. Full report: https://t.co/wuzeZ1NBQ6 #CyberSecurity #Cisco

    @BeaconPulseLtd

    18 Feb 2025

    3 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  17. RedMike is exploiting CVE-2023-20198 & CVE-2023-20273 to target 1,000+ Cisco devices in a global espionage campaign. More details: 🔗 https://t.co/BXKNfGoZyw #CyberSecurity #ThreatIntelligence

    @adriananglin

    18 Feb 2025

    10 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  18. Chinese Hackers Breach U.S. Telecoms via Unpatched Cisco Routers! Salt Typhoon exploits Cisco IOS XE flaws (CVE-2023-20198, CVE-2023-20273) to infiltrate U.S. telecoms, government networks, & law enforcement wiretaps! Over 1,000 devices targeted globally! 🌍 Patch immediate

    @dCypherIO

    17 Feb 2025

    45 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  19. Actively exploited CVE : CVE-2023-20198

    @transilienceai

    17 Feb 2025

    10 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  20. Actively exploited CVE : CVE-2023-20198

    @transilienceai

    16 Feb 2025

    12 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  21. Actively exploited CVE : CVE-2023-20198

    @transilienceai

    15 Feb 2025

    20 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  22. Another telecom breach via unpatched Cisco routers, with China’s Salt Typhoon hackers still exploiting CVE-2023-20198 and CVE-2023-20273. If you're running Cisco IOS XE, patch NOW or risk being the next victim. #CyberSecurity #ZeroDay #NetworkSecurity #DataBreach #PatchNow https:

    @robbebel

    14 Feb 2025

    38 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  23. El grupo cibercriminal Salt Typhoon hackeó a proveedores de telecomunicaciones estadounidenses a través de dispositivos de red Cisco IOS XE sin parches, explotado las vulnerabilidades CVE-2023-20198 y CVE-2023-20273. 🧉 https://t.co/Eg3aC2FzbN

    @MarquisioX

    14 Feb 2025

    43 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  24. Salt Typhoon sfrutta vulnerabilità nei dispositivi Cisco Sicurezza Informatica, cisco, CVE-2023-20198, cyber spionaggio, evidenza, guerra cibernetica, RedMike, Salt Typhoon, sanzioni, telecomunicazioni, USA, vulnerabilità https://t.co/facOxtlHtQ https://t.co/sSQbNCmWWq

    @matricedigitale

    14 Feb 2025

    29 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  25. Insikt Group reported that the Chinese state-sponsored group RedMike exploited unpatched Cisco devices in global telecoms, using vulnerabilities CVE-2023-20198 and CVE-2023-20273 for persistent access and data exfiltration. #Cybersecurity https://t.co/nDqfmnKj4y

    @Cyber_O51NT

    13 Feb 2025

    151 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  26. #exploit 1. CVE-2024-20356: https://t.co/b3SJunTBHe 2. "Randar" Minecraft Exploit: Explanation and Information https://t.co/1SZ69aiDJH 3. CVE-2023-20198: Cisco IOS XE Privilege Escalation https://t.co/KibbxvO9gJ

    @ksg93rd

    23 Nov 2024

    136 Impressions

    0 Retweets

    2 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  27. 🚨🔍 Top 5 most exploited CVEs of 2023: 1️⃣ CVE-2023-3519 (Citrix NetScaler): Buffer overflow for remote code execution. 2️⃣ CVE-2023-4966 (Citrix NetScaler): Token leakage risk. 3️⃣ CVE-2023-20198 (Cisco IOS XE): Unauthorized admin access.

    @AugustineCyber

    17 Nov 2024

    12 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  28. CISAから2023年に良く悪用された脆弱性のまとめが公開されていましたね。 2023 Top Routinely Exploited Vulnerabilities https://t.co/ulfm6a7TUz ◆CVE-2023-3519:Citrix ◆CVE-2023-4966:Citrix ◆CVE-2023-20198:Cisco ◆CVE-2023-20273:Cisco ◆CVE-2023-27997:Fortinet… https://t.co/5hY9DKZUl3 https://t.co/G9ylY3EdvP

    @taku888infinity

    13 Nov 2024

    1354 Impressions

    1 Retweet

    8 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

Configurations