CyberWatch

Are you vulnerable to this unpatched Cisco zero-day?

By

By

Access Point Consulting

Summary

CVE-2023-20198 is a recently disclosed Critical Privilege Escalation vulnerability with active exploitation. It is one of the few vulnerabilities which has been disclosed by Cisco with a CVSS score of 10, the highest possible score. The vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access, the highest level. Using this account, the attacker is able to gain control of the affected system.

Impact Assessment

The vulnerability affects Cisco IOS XE Software if the web UI feature is enabled using the “ip http server” or “ip http secure-server” commands. This vulnerability is devastating to any organization using the Cisco IOS XE Software on their Cisco devices, it allows a full take-over of the device and in turn the network.

What it means for you

Any organization which has the Cisco IOS XE Software web UI can and will be subject to an attack on their device(s). There have already been over 10000 Cisco devices which have been backdoored using this vulnerability, allowing a threat actor to remote execute commands at system or OS levels.

Check the following document for all Cisco Router models which have support for Cisco IOS XE:

Cisco Router Models and IOS Software Releases

Remediation

According to Cisco there are no workarounds or patches available yet to remediate.

They have provided recommendations in the form of a decision tree to help determine how to triage and deploy protections to your environment:

Are you running IOS XE?

  1. No. The system is not vulnerable. No further action is necessary.
  2. Yes. Is ip http server or ip http secure-server configured?
    1. No. The vulnerability is not exploitable. No further action is necessary.
    2. Yes. Do you run services that require HTTP/HTTPS communication (for example, eWLC)?
      1. No. Disable the HTTP Server feature.
      2. Yes. If possible, restrict access to those services to trusted networks.

Cisco also states that: “We assess with high confidence, based on further understanding of the exploit, that access lists applied to the HTTP Server feature to restrict access from untrusted hosts and networks are an effective mitigation.”

Business Implications

Exploitation of this vulnerability can cause financial loss, reputation loss, and data loss. Data exfiltration is a high possibility along with malware installation. There will have to be an incident response as well as having to lock down any and all devices connected to the affected Cisco product which can halt day-to-day operations. The potential pitfalls which can arise from not patching this vulnerability which could affect the business are countless.

Access Point Technology Recommends

  1. Review: Identify which network devices your organization uses and determine if they are vulnerable to this vulnerability.
  2. Triage and Deploy protections: After determining if your organization uses any devices which are vulnerable follow the decision tree above to determine how to respond.
  3. Stay up to date: Keep track of this vulnerability’s security advisory and patch or apply workarounds immediately when there is one available.

Associated Bulletins

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z

https://arstechnica.com/security/2023/10/actively-exploited-cisco-0-day-with-maximum-10-severity-gives-full-network-control/

https://thehackernews.com/2023/10/warning-unpatched-cisco-zero-day.html

Resources

Latest Resources

Resources

CyberWatch

April 2, 2025

Scott "Monty" Montgomery (Island) | Navigating CMMC compliance for organizations of every size

Scott Montgomery, known as Monty, joined the CyberWatch Expert Series podcast to discuss his extensive background in cybersecurity, particularly in building and designing network security tools for high-assurance environments like the Department of Defense (DoD) and the intelligence community. His experience includes significant tenure at McAfee (now Trellix), which led him to his current role at Island, where he focuses on innovative approaches to cybersecurity compliance.

Find out more
March 19, 2025

Michael Sviben (DomainGuard) | Defending against phishing and building proactive security awareness

Cybersecurity threats evolve rapidly, and one tactic consistently rises above the rest: phishing. In this episode of CyberWatch, Michael Sviben, co-founder of DomainGuard, discusses why phishing remains so effective, how businesses and individuals become targets, and what you can do to stay vigilant.

Find out more
March 5, 2025

David Habib (Brightspot) | Building a culture of cybersecurity awareness

Cybersecurity awareness is often reduced to check-the-box training, but David Habib, CIO at Brightspot, argues that real security awareness isn’t about formal programs—it’s about making security part of a company’s culture. In this episode, he shares practical insights on how organizations can move beyond stale training sessions to create an engaged and security-conscious workforce.

Find out more