CVE-2023-20198: Cisco IOS XE Web UI — Zero-Day Privilege Escalation (CVSS 10.0)

Background

Cisco IOS XE is the operating system powering Cisco’s enterprise and service provider networking hardware — including switches, routers, wireless controllers, and access points. IOS XE is deployed in the vast majority of enterprise network infrastructure globally. The web UI feature provides a browser-based management interface for device configuration.

CVE-2023-20198 is a CVSS 10.0 zero-day vulnerability discovered in mid-October 2023, with exploitation already in progress at time of disclosure. Cisco’s advisory confirmed that the vulnerability was being actively exploited and that it allowed unauthenticated attackers to create accounts with the highest privilege level (privilege level 15) on the affected device. The attack was combined with a second vulnerability (CVE-2023-20273, a privilege escalation for root shell) to install a persistent implant on tens of thousands of Cisco devices.

Technical Mechanism

CVE-2023-20198 is an authentication bypass/privilege escalation in IOS XE’s web UI HTTP server. The web UI feature, when enabled, listens on the device’s HTTP (80) or HTTPS (443) port for management traffic.

The vulnerability is in the web server component that processes incoming requests. Specifically, the issue exists in the HTTP request handling code for certain administrative functions. By sending a specially crafted request to a specific URI path, an attacker can trigger the creation of a new local user account at privilege level 15 (the highest IOS XE privilege, equivalent to root/admin) without providing any credentials.

The exact mechanism involves a path that should only be accessible by authenticated administrators being reachable without authentication due to a missing or incorrect authentication check for that specific endpoint. The attack:

# Step 1: Create privilege-15 user via unauthenticated request
POST /webui/logoutconfirm.html?logon_hash=<crafted_value> HTTP/1.1
Host: cisco-device.target.com
Content-Type: application/x-www-form-urlencoded

[Crafted POST body that triggers account creation]

Once an attacker has a privilege-15 user, they can:

• Access all IOS XE configuration and operational data
• Modify routing configurations, ACLs, and security policies
• Exploit CVE-2023-20273 (a separate command injection) to escalate to a root shell on the underlying Linux OS

CVE-2023-20273 chain (root escalation):

Using the newly created admin account, attackers exploited CVE-2023-20273, a separate vulnerability in the web UI that allows a privilege-15 user to execute arbitrary commands as root through a command injection in a diagnostic functionality endpoint.

LURKER implant:

The root-level access from the two-CVE chain enabled attackers to install a persistent backdoor dubbed “LURKER” or “BadCandy” — a Lua-based implant embedded in IOS XE’s GuestShell or deployed as a configuration archive. This implant survived device reboots and responded to specific HTTP requests with a password parameter.

Real-World Exploitation Evidence

Cisco Talos documented the exploitation campaign and attributed it to a previously unknown sophisticated threat actor:

• Scale: At peak, security researchers identified over 40,000 compromised Cisco IOS XE devices with the LURKER implant. This represents an extraordinarily large supply of compromised network infrastructure.
• Zero-day exploitation: The attacker was exploiting the vulnerability before Cisco was aware of it, suggesting prior discovery through their own research.
• Implant sophistication: The Lua-based LURKER implant was designed to be stealthy and to survive device reboots — indicating significant IOS XE-specific expertise.
• Rapid enumeration: After public disclosure, security firms including CISA and Censys were able to detect and track implanted devices globally.
• Post-patch implant revision: After Cisco released patches, the threat actor modified the LURKER implant to evade the detection heuristics that researchers and Cisco had developed — showing ongoing active involvement.

Impact Assessment

Compromised IOS XE network devices represent a catastrophic security scenario:

• Core network infrastructure: Routers and switches manage all traffic traversing the network; compromise enables traffic interception, modification, and redirection.
• Routing manipulation: Attackers can inject false routes (BGP hijacking potential), redirect traffic through attacker-controlled paths, or drop traffic silently.
• Network invisibility: Traffic from the network device itself is often exempted from security monitoring; attackers operating from a compromised router are exceptionally difficult to detect.
• Credential access: IOS XE stores authentication credentials, SNMP community strings, and network management credentials.
• Scale of deployment: Cisco IOS XE is the dominant enterprise routing OS; the blast radius of a successful exploitation campaign is enormous.

Affected Versions

Fixed versions were released in the October 22, 2023 advisory update. Cisco released patches across all IOS XE trains:

• 17.9.4a, 17.6.6a, 17.3.8a, 16.12.10a (and later releases in each train)

Remediation Steps

1. Apply Cisco patches: Download and install the appropriate fixed IOS XE version from Cisco Software Center.

2. Disable web UI immediately if not required (primary interim mitigation):

   no ip http server
   no ip http secure-server

   Verify with: show running-config | include ip http

3. Restrict web UI access via ACL (if web UI must remain enabled):

   ip http access-class [acl-number]
   ip http secure-server
   access-list [acl-number] permit [management_network]
   access-list [acl-number] deny any

4. Check for LURKER implant: Cisco provided detection guidance. Check for the implant via:

   # HTTP request to detect implant
   curl -k "https://<device_ip>/webui/logoutconfirm.html?logon_hash=1"
   # If a hex string (16 characters) is returned, device may be compromised

5. Review local user accounts: Check for unexpected privilege-15 accounts:

   show running-config | section username

6. Monitor device integrity: If compromise is confirmed, treat device configuration as untrusted and restore from a known-good configuration backup.

Detection Guidance

Log sources:

• Syslog from IOS XE devices (forward to SIEM)
• Web UI access logs
• AAA accounting logs

IOS XE syslog indicators:

%SYS-5-CONFIG_I: Configured from console by <unknown>
%WEBUI-6-INSTALL_OPERATION_INFO: User: <new_user>, Install Operation: ADD

Network-level detection:

• Unexpected HTTP/HTTPS traffic to device management IPs from non-management source IPs
• Port 80/443 responses from network devices to non-standard client IPs

Suricata signature:

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"Cisco IOS XE CVE-2023-20198 Web UI Exploit"; flow:established,to_server; http.uri; content:"/webui/logoutconfirm.html"; http.uri; content:"logon_hash="; sid:9002020; rev:1;)

Timeline