Home / Vulnerabilities / CVE-2023-20198
CRITICAL SEVERITY
CVE-2023-20198 Cisco · IOS XE Web UI

Cisco IOS XE Web UI Privilege Escalation Vulnerability

Technical Severity

CVSS v3.1 Metrics

CRITICAL
10 / 10
Minimal Risk Critical
Vector Specification
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Exploitation Likelihood

EPSS Prediction

94.01 %
Predictive Probability
Percentile Rank
99.9 th

Documented as more likely to be exploited than 99.9% of known CVEs.

Detection Date

Oct 16, 2023

Remediation Due

Oct 20, 2023

CISA Catalog Active

Threat Analysis

Cisco IOS XE Web UI contains a privilege escalation vulnerability in the web user interface that could allow a remote, unauthenticated attacker to create an account with privilege level 15 access. The attacker can then use that account to gain control of the affected device.

Remediation Directive

Verify that instances of Cisco IOS XE Web UI are in compliance with BOD 23-02 and apply mitigations per vendor instructions. For affected products (Cisco IOS XE Web UI exposed to the internet or to untrusted networks), follow vendor instructions to determine if a system may have been compromised and immediately report positive findings to CISA.

External Intelligence

https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-xe-dublin-17121/221128-software-fix-availability-for-cisco-ios.html

https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-xe-dublin-17121/221128-software-fix-availability-for-cisco-ios.html
NVD

National Vulnerability Database

https://nvd.nist.gov/vuln/detail/CVE-2023-20198