AI description
CVE-2023-20198 is a vulnerability found in the web UI feature of Cisco IOS XE Software. It involves improper path validation, which allows attackers to bypass Nginx filtering and access the webui_wsma_http web endpoint without authentication. This access enables execution of arbitrary Cisco IOS commands or configuration changes with Privilege 15. Exploitation of this vulnerability typically involves targeting two specific XML SOAP endpoints: cisco:wsma-exec for command execution and configuration changes, and cisco:wsma-config for tasks like adding new user accounts. Attackers were observed exploiting CVE-2023-20198 to gain initial access, create a local user account, and then leverage another vulnerability (CVE-2023-20273) to escalate privileges to root and install malware. Cisco IOS XE Software runs on various Cisco networking devices, including routers, switches, and wireless controllers.
- Description
- Cisco is providing an update for the ongoing investigation into observed exploitation of the web UI feature in Cisco IOS XE Software. We are updating the list of fixed releases and adding the Software Checker. Our investigation has determined that the actors exploited two previously unknown issues. The attacker first exploited CVE-2023-20198 to gain initial access and issued a privilege 15 command to create a local user and password combination. This allowed the user to log in with normal user access. The attacker then exploited another component of the web UI feature, leveraging the new local user to elevate privilege to root and write the implant to the file system. Cisco has assigned CVE-2023-20273 to this issue. CVE-2023-20198 has been assigned a CVSS Score of 10.0. CVE-2023-20273 has been assigned a CVSS Score of 7.2. Both of these CVEs are being tracked by CSCwh87343.
- Source
- psirt@cisco.com
- NVD status
- Analyzed
CVSS 3.1
- Type
- Primary
- Base score
- 10
- Impact score
- 6
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
- Severity
- CRITICAL
Data from CISA
- Vulnerability name
- Cisco IOS XE Web UI Privilege Escalation Vulnerability
- Exploit added on
- Oct 16, 2023
- Exploit action due
- Oct 20, 2023
- Required action
- Verify that instances of Cisco IOS XE Web UI are in compliance with BOD 23-02 and apply mitigations per vendor instructions. For affected products (Cisco IOS XE Web UI exposed to the internet or to untrusted networks), follow vendor instructions to determine if a system may have been compromised and immediately report positive findings to CISA.
- psirt@cisco.com
- CWE-420
- nvd@nist.gov
- NVD-CWE-Other
- Hype score
- Not currently trending
Question 2 - Amelia Larson (refresh for new alias) An extremely advanced infiltration codenamed "Salt Typhoon" referencing CVE-2018-0171 and CVE-2023-20198 is threatening Canada's security. This question is far more difficult than previous ones, with three distinct part @NSAGov
@EnigmaTyphoon
31 Mar 2025
35 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
amphetamine is not prescribed in china at most you get 15mg concerta per day; so you guys still got CVE-2018-0171 and CVE-2023-20198 and didn't know how to patch huh? @NSAGov spanking H1B spanking ... the systemic problems remain
@EnigmaTyphoon
30 Mar 2025
103 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
naive same in same out diff reinforced prompt; Fully implement all parts of problem 2: you are analyst whomever and your job is to help prevent Canada from being vulnerable to CVE-2023-20198 and CVE-2023-20273 which are the two zero day exploits behind the "Salt Typhoon" https://
@EnigmaTyphoon
27 Mar 2025
43 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
ok @JustinTrudeau For problem 1, you are insert randomly distributed Canadian name by gender and language spoken, dynamically random, you are analyst whomever and your job is to help prevent Canada from being vulnerable to CVE-2023-20198 and CVE-2023-20273 which are the two zero
@EnigmaTyphoon
27 Mar 2025
3 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Cisco Vulnerability Exploitation My research indicates that the Salt Typhoon hacking group has been actively exploiting vulnerabilities, specifically CVE-2023-20198 and CVE-2023-20273, in Cisco IOS XE software. These exploits have been used to target telecom providers globally,
@EnigmaTyphoon
27 Mar 2025
45 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2023-20198 and CVE-2023-20273.
@EnigmaTyphoon
27 Mar 2025
33 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2023-20198
@transilienceai
3 Mar 2025
16 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
A kínai hekkerek újabb amerikai távközlési szolgáltatókat támadtak meg nem frissített Cisco routereken keresztül Egyre komolyabb a fenyegetés, amit a Cisco sebezhetőségei okoznak a globális távközlési szektorban. Cisco routerek Salt Typhoon kiberháború CVE-2023-20198 CVE-…
@linuxmint_hun
1 Mar 2025
19 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Recorded Future社がCisco IOS XEのCVE-2023-20198を悪用してSalt Typhoonの攻撃が行われたことを報告(ただCisco社公式では未確認)したり、GreyNoise社が活発な攻撃を観測したりということで久しぶりに調査。Shodanで43750台を特定し39676台は現在も公開中で内55%の21714台は脆弱な可能性ありです。 https://t.co/ZkVV8fAiZU
@nekono_naha
26 Feb 2025
2226 Impressions
4 Retweets
21 Likes
11 Bookmarks
0 Replies
1 Quote
🚨 Ongoing attacks linked to the Salt Typhoon group exploit Cisco vulnerabilities CVE-2018-0171 and CVE-2023-20198, targeting telecom sectors. Significant breaches reported. #CiscoSecurity #China #VulnerabilityExploitation link: https://t.co/T2RU9MUNaZ https://t.co/RW7WZeshHE
@TweetThreatNews
26 Feb 2025
59 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
シスコ社ネットワーク機器の脆弱性CVE-2023-20198を110のIPアドレスが積極的に攻撃している。GreyNoise社報告。中国のSalt Typhoon集団による大手電気通信事業者へのハッキングと関連しており、CVE-2018-0171の悪用も見られる。 https://t.co/LRya8zN4EO
@__kokumoto
25 Feb 2025
720 Impressions
0 Retweets
5 Likes
6 Bookmarks
0 Replies
0 Quotes
Cisco機器を標的とした攻撃が活発化し、国家支援グループを含む攻撃者が未修正の脆弱性を悪用。 CVE-2023-20198(特権昇格, CVSS 10.0)は110の悪意あるIP(ブルガリア38%、ブラジル27%、シンガポール19%)から攻撃され、攻撃件数は2024年10月以降3倍に増加。 また、7年前のCVE-2018-0171(Smart… https://t.co/PW34ciL9Ne
@yousukezan
25 Feb 2025
2275 Impressions
2 Retweets
24 Likes
8 Bookmarks
0 Replies
0 Quotes
🚨 Exploitation: Salt Typhoon-Linked CVEs 🚨 🔹 CVE-2023-20198 – 110+ IPs (🇧🇬🇧🇷🇸🇬) 🔹 CVE-2018-0171 – Attempts from 🇨🇭🇺🇸https://t.co/4XtqUm2Pds #salttyphoon #cve
@GreyNoiseIO
24 Feb 2025
1007 Impressions
2 Retweets
8 Likes
5 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2023-20198
@transilienceai
22 Feb 2025
14 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2023-20198
@transilienceai
19 Feb 2025
20 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
🔒 Cyber Alert: Chinese hackers (Salt Typhoon) breached 1,000+ Cisco routers via CVE-2023-20198 & CVE-2023-20273. Targets: U.S. gov, law enforcement, telecoms. Patch IOS XE now! Disable public admin access. Full report: https://t.co/wuzeZ1NBQ6 #CyberSecurity #Cisco
@BeaconPulseLtd
18 Feb 2025
3 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
RedMike is exploiting CVE-2023-20198 & CVE-2023-20273 to target 1,000+ Cisco devices in a global espionage campaign. More details: 🔗 https://t.co/BXKNfGoZyw #CyberSecurity #ThreatIntelligence
@adriananglin
18 Feb 2025
10 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Chinese Hackers Breach U.S. Telecoms via Unpatched Cisco Routers! Salt Typhoon exploits Cisco IOS XE flaws (CVE-2023-20198, CVE-2023-20273) to infiltrate U.S. telecoms, government networks, & law enforcement wiretaps! Over 1,000 devices targeted globally! 🌍 Patch immediate
@dCypherIO
17 Feb 2025
45 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2023-20198
@transilienceai
17 Feb 2025
10 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2023-20198
@transilienceai
16 Feb 2025
12 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2023-20198
@transilienceai
15 Feb 2025
20 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Another telecom breach via unpatched Cisco routers, with China’s Salt Typhoon hackers still exploiting CVE-2023-20198 and CVE-2023-20273. If you're running Cisco IOS XE, patch NOW or risk being the next victim. #CyberSecurity #ZeroDay #NetworkSecurity #DataBreach #PatchNow https:
@robbebel
14 Feb 2025
38 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
El grupo cibercriminal Salt Typhoon hackeó a proveedores de telecomunicaciones estadounidenses a través de dispositivos de red Cisco IOS XE sin parches, explotado las vulnerabilidades CVE-2023-20198 y CVE-2023-20273. 🧉 https://t.co/Eg3aC2FzbN
@MarquisioX
14 Feb 2025
43 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
Salt Typhoon sfrutta vulnerabilità nei dispositivi Cisco Sicurezza Informatica, cisco, CVE-2023-20198, cyber spionaggio, evidenza, guerra cibernetica, RedMike, Salt Typhoon, sanzioni, telecomunicazioni, USA, vulnerabilità https://t.co/facOxtlHtQ https://t.co/sSQbNCmWWq
@matricedigitale
14 Feb 2025
29 Impressions
0 Retweets
0 Likes
1 Bookmark
0 Replies
0 Quotes
Insikt Group reported that the Chinese state-sponsored group RedMike exploited unpatched Cisco devices in global telecoms, using vulnerabilities CVE-2023-20198 and CVE-2023-20273 for persistent access and data exfiltration. #Cybersecurity https://t.co/nDqfmnKj4y
@Cyber_O51NT
13 Feb 2025
151 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
#exploit 1. CVE-2024-20356: https://t.co/b3SJunTBHe 2. "Randar" Minecraft Exploit: Explanation and Information https://t.co/1SZ69aiDJH 3. CVE-2023-20198: Cisco IOS XE Privilege Escalation https://t.co/KibbxvO9gJ
@ksg93rd
23 Nov 2024
136 Impressions
0 Retweets
2 Likes
1 Bookmark
0 Replies
0 Quotes
🚨🔍 Top 5 most exploited CVEs of 2023: 1️⃣ CVE-2023-3519 (Citrix NetScaler): Buffer overflow for remote code execution. 2️⃣ CVE-2023-4966 (Citrix NetScaler): Token leakage risk. 3️⃣ CVE-2023-20198 (Cisco IOS XE): Unauthorized admin access.
@AugustineCyber
17 Nov 2024
12 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
CISAから2023年に良く悪用された脆弱性のまとめが公開されていましたね。 2023 Top Routinely Exploited Vulnerabilities https://t.co/ulfm6a7TUz ◆CVE-2023-3519:Citrix ◆CVE-2023-4966:Citrix ◆CVE-2023-20198:Cisco ◆CVE-2023-20273:Cisco ◆CVE-2023-27997:Fortinet… https://t.co/5hY9DKZUl3 https://t.co/G9ylY3EdvP
@taku888infinity
13 Nov 2024
1354 Impressions
1 Retweet
8 Likes
0 Bookmarks
1 Reply
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:o:cisco:ios_xe:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "2C8A350D-6C3A-430F-9763-5D167C5CEAE5",
"versionEndExcluding": "16.12.10a",
"versionStartIncluding": "16.12"
},
{
"criteria": "cpe:2.3:o:cisco:ios_xe:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "BEA2169A-BE52-48B4-8967-D99A4BCAFF58",
"versionEndExcluding": "17.3.8a",
"versionStartIncluding": "17.3"
},
{
"criteria": "cpe:2.3:o:cisco:ios_xe:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "281561C8-E24D-4AC1-B1F8-1D32171B9A2F",
"versionEndExcluding": "17.6.6a",
"versionStartIncluding": "17.6"
},
{
"criteria": "cpe:2.3:o:cisco:ios_xe:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "B628DA7F-32AA-459B-95A6-AF3BFC0E765C",
"versionEndExcluding": "17.9.4a",
"versionStartIncluding": "17.9"
}
],
"operator": "OR"
}
]
}
]