CVE-2023-20273

What is Cisco IOS XE?

Cisco IOS XE is the operating system running on a wide range of Cisco enterprise networking equipment including Catalyst switches, ASR/ISR routers, and wireless LAN controllers. The HTTP/HTTPS server feature (Web UI) provides a browser-based management interface. IOS XE devices are foundational infrastructure components — compromise of a router or switch running IOS XE gives an attacker privileged network position to intercept traffic, pivot to internal segments, and disable network controls.

Overview

CVE-2023-20273 is a command injection vulnerability in the Cisco IOS XE Web UI that allows an authenticated attacker with administrator-level access to execute arbitrary commands with root privileges. In isolation it requires high privilege, but when chained with the companion zero-day CVE-2023-20198 (CVSS 10.0 — unauthenticated account creation), the combined attack required no prior credentials. Attackers used this two-step chain in a massive exploitation campaign beginning in mid-October 2023, implanting a persistent Lua backdoor on tens of thousands of Cisco networking devices worldwide.

Affected Versions

Exposure condition: the Web UI must be enabled (ip http server or ip http secure-server in the config) and accessible from the attacker's network.

Technical Details

The attack chain operates in two steps:

Step 1 — CVE-2023-20198 (CVSS 10.0): An unauthenticated attacker sends a crafted HTTP request to the Web UI that triggers a privilege 15 account creation without authentication. This creates a backdoor local administrator account on the device.

Step 2 — CVE-2023-20273 (CVSS 7.2, CWE-78): Using the newly created account, the attacker submits a crafted request to a different Web UI endpoint that passes attacker-controlled data unsanitized to an OS command. The injected command executes with root privileges. Attackers used this to write a Lua-based backdoor implant to the device file system that survived reboots and provided persistent command execution capability.

The implant responded to HTTP requests and could execute arbitrary commands on the device. Initially it evaded detection because it was installed in an unusual file path and used HTTP authentication to gate access. Cisco updated detection guidance multiple times as researchers discovered the implant could be hidden by sending a crafted Host header.

Discovery

Cisco Talos Intelligence first identified active exploitation around October 16, 2023. The campaign targeted internet-exposed IOS XE management interfaces at scale, consistent with automated scanning and exploitation. The initial advisory (for CVE-2023-20198) was published October 23; CVE-2023-20273 was identified two days later as the component actually used to install the implant.

Exploitation Context

At peak exploitation, Shadowserver and security researchers observed more than 40,000 compromised IOS XE devices with active implants. The campaign was consistent with nation-state or sophisticated espionage-level activity given the targeting of core network infrastructure. CISA issued an emergency directive with an exceptionally short remediation deadline (4 days), reflecting the severity. The requiredAction for this CVE includes mandatory compromise checking steps before remediation — merely patching does not remove existing implants.

Remediation

1. Disable the Web UI immediately if you cannot patch right now: no ip http server and no ip http secure-server, then copy running-config startup-config.
2. Check for compromise before patching — use Cisco's detection commands to look for the implant (see advisory cisco-sa-iosxe-webui-privesc-j22SaA4z for current detection guidance). The implant may not be visible with standard show commands.
3. Upgrade to a fixed IOS XE release — 17.9.4a, 17.6.6a, 17.3.8a, 16.12.10a, or later.
4. Audit local user accounts — delete any unauthorized accounts, especially those created around mid-October 2023 or with unexplained privilege 15 access.
5. Restrict management interface access — Web UI should only be accessible from trusted management networks, never from the internet.
6. If compromise is confirmed, treat the device as fully untrusted: capture configuration, replace or re-image, rotate all passwords and keys, and audit adjacent network segments for lateral movement.