CVE-2023-20198

What is Cisco IOS XE Web UI?

Cisco IOS XE is the operating system running on Cisco's enterprise routers and switches — including Catalyst switches, ASR routers, and ISR series. The IOS XE Web UI (HTTP/HTTPS management server) provides a graphical interface for device configuration and monitoring. Cisco's BOD 23-02 had already directed federal agencies to remove internet-facing management interfaces including IOS XE Web UI from public exposure, but many organizations and service providers had not complied. Network devices running IOS XE represent critical infrastructure: routers and switches at the edge of corporate and ISP networks handle all network traffic, and their compromise provides an attacker with persistent, privileged access to intercept communications, modify routing, and pivot into connected networks.

Overview

CVE-2023-20198 is a CVSS 10.0 zero-day privilege escalation vulnerability in Cisco IOS XE's web management interface (HTTP Server feature) that allows an unauthenticated remote attacker to create a local account with privilege level 15 — the highest administrative privilege in IOS XE — with no credentials required. CISA added it to KEV the same day Cisco disclosed it (October 16, 2023) with an unprecedented 4-day remediation deadline, reflecting mass exploitation already in progress. Within days of disclosure, threat intelligence firms observed over 50,000 compromised Cisco IOS XE devices with a Lua-based backdoor implant called "BadCandy."

Affected Versions

The HTTP Server feature (ip http server or ip http secure-server) must be enabled and accessible for the vulnerability to be exploitable.

Technical Details

CWE-420 (Unprotected Alternate Channel). The IOS XE HTTP Server contains an unprotected endpoint or alternate channel that can be reached before authentication, allowing attackers to interact with privileged functionality. By sending a specially crafted HTTP request to the web management interface, an unauthenticated attacker can trigger the privilege escalation path, causing IOS XE to create a new local user account with level 15 administrative access.

The created account provides the attacker with full IOS XE CLI access, including the ability to modify device configuration, install software, and access all connected networks. In observed attacks, CVE-2023-20198 was chained with CVE-2023-20273 (a command injection in the web UI available to authenticated users, CVSSv3: 7.2): the attacker used CVE-2023-20198 to create the admin account, then used CVE-2023-20273 to install a persistent Lua implant ("BadCandy") in the device's filesystem, which persisted across reboots.

Discovery

Cisco Talos discovered active exploitation in the wild and disclosed the vulnerability as a zero-day without an available patch. Cisco's advisory noted exploitation activity and credited Talos with discovery. The 4-day KEV deadline and simultaneous Cisco advisory reflects the severity of ongoing mass compromise.

Exploitation Context

Within 48 hours of Cisco's disclosure, Censys and Shodan scans identified between 40,000 and 50,000 Cisco IOS XE devices with the BadCandy implant installed — indicating a pre-staged, large-scale compromise operation. The attackers had been exploiting the vulnerability before disclosure, leveraging the window between their discovery and Cisco's public disclosure to infect as many devices as possible. The BadCandy implant provided persistent HTTP-based command and control via the device's web interface, surviving reboots and standard configuration restores.

The scope of exploitation — tens of thousands of Cisco IOS XE routers and switches at ISPs, enterprises, and government agencies — made this one of the most significant network device compromises of 2023. Attribution was not publicly confirmed at initial disclosure.

Remediation

1. Disable the HTTP/HTTPS Server feature immediately on all IOS XE devices not requiring web management: no ip http server and no ip http secure-server.
2. Apply Cisco patches for both CVE-2023-20198 and CVE-2023-20273 — check Cisco advisory cisco-sa-iosxe-webui-privesc-j22SaA4z for specific version patches.
3. Follow Cisco's compromise detection guidance: check for unexpected local user accounts (show running-config | include username), examine the implant location (show platform software file switch active R0 bootflash:), and review authentication logs for unauthorized access.
4. If compromise is suspected, do not simply patch — perform a full device reload from a known-clean image and verify configuration integrity.
5. Restrict management access to IOS XE Web UI to specific trusted management IP ranges via access control lists — never expose management interfaces to the internet.
6. Comply with BOD 23-02: remove all internet-facing management interfaces from public accessibility.