Background
CVE-2023-20273 doesn’t get as much press as CVE-2023-20198 (the auth bypass that preceded it), but it’s the bug that converts a new admin account into root shell access. Together, the two vulnerabilities form one of the most significant Cisco IOS XE exploitation campaigns in years, compromising tens of thousands of devices globally in October 2023.
IOS XE is Cisco’s operating system for enterprise switches, routers, and wireless LAN controllers. The web-based management interface (WebUI) is optional but commonly enabled for ease of administration. Cisco Talos observed over 40,000 compromised devices at the peak of exploitation — a remarkable number for what should be controlled network infrastructure.
Technical Mechanism
This vulnerability is the second stage of a two-step attack chain:
Stage 1 (CVE-2023-20198) — An unauthenticated attacker accesses a specific URI in the IOS XE WebUI that bypasses authentication, creating a new level-15 (maximum privilege) user account on the device.
Stage 2 (CVE-2023-20273) — Using the level-15 account created in stage 1, the attacker exploits a command injection vulnerability in a different WebUI feature. This specific flaw allows the authenticated-but-only-WebUI-level attacker to inject OS-level commands that execute as root, installing a persistent implant.
The specific injection is in a WebUI configuration page where input is passed to underlying IOS XE system calls without proper sanitisation. The injected commands bypass IOS XE’s privilege model and execute in the context of the underlying Linux OS that IOS XE runs on.
The implant installed in the wild was a Lua-based backdoor written to the device’s in-memory filesystem. It exposed an HTTP server that responded to specific requests with backdoor capabilities, surviving even device reboots in some configurations.
Real-World Exploitation Evidence
Cisco Talos identified active zero-day exploitation beginning in September 2023, initially attributed to a single threat actor. By October 2023, the scale had become extraordinary:
- 40,000+ devices compromised — at peak, Censys and Shodan observed over 40,000 IOS XE devices with the implant
- Cisco IOS XE Lua implant — a custom backdoor that checked for a specific “magic value” in HTTP requests and executed commands based on that
- Threat actor pivot — the actor modified the implant mid-campaign to evade detection after public disclosure, adding a check for a header before responding
- Targeting — broad targeting across telecommunications, managed service providers, enterprise networks, and government
The scale of this campaign was comparable to mass-exploitation events like Log4Shell for networking infrastructure specifically.
Impact Assessment
- Root code execution on Cisco IOS XE devices — the underlying Linux OS, not just IOS CLI
- Persistent implant — the Lua backdoor maintained access across config saves
- Complete device compromise — routing tables, ACLs, VPN configs, and credentials all accessible
- Network traffic manipulation — with root on a router or switch, traffic can be intercepted, redirected, or dropped
- Credential harvesting — TACACS+/RADIUS configurations and local credentials accessible
- Pivot to connected networks — network devices are perfect pivot points; they connect to everything
Affected Versions
| Product | Affected Versions | Fixed Version |
|---|---|---|
| Cisco IOS XE | All versions with WebUI enabled | 17.9.4a, 17.6.6a, 17.3.8a, 16.12.10a |
Note: All versions of IOS XE with the WebUI (ip http server or ip http secure-server) enabled in combination with the web-based management feature are affected.
Remediation Steps
- Disable the WebUI immediately if not needed:
no ip http server no ip http secure-server - Apply Cisco patches: 17.9.4a, 17.6.6a, 17.3.8a, or 16.12.10a as appropriate for your train
- Check for signs of compromise — the implant installs as a file in the IOS XE filesystem:
show platform software cfile system file md5sum cat9k-rpboot.SSA.pkg.conf - Use Cisco’s provided detection command to check for the implant:
If it returns a hex string, the device is likely compromised.curl -k -X POST "https://<device-ip>/webui/logoutconfirm.html?logon_hash=1" - Look for newly created local user accounts at privilege level 15
- If the device is compromised, reload from a known-good backup configuration and software image
- Restrict WebUI access to management VLANs only — do not expose to the internet
Detection Guidance
IOS XE logs — check for:
- New user account creation via WebUI
- Requests to unusual URI paths in the HTTP access log
- Unexpected HTTP server activity
Network monitoring — IOS XE devices shouldn’t be making HTTP requests to external IPs. Any such behaviour post-exploitation indicates the implant is active.
Check device filesystem:
dir flash:/
show platform software cfile systemSuricata signature:
alert http any any -> $HTTP_SERVERS any (msg:"Cisco IOS XE CVE-2023-20273 WebUI Implant Check"; flow:established,to_server; http.uri; content:"/webui/logoutconfirm.html"; http.uri; content:"logon_hash"; classtype:attempted-admin; sid:2034014; rev:1;)Timeline
| Date | Event |
|---|---|
| September 2023 | First exploitation observed (zero-day) |
| 16 October 2023 | Cisco Talos publishes advisory for CVE-2023-20198 and CVE-2023-20273 |
| 17 October 2023 | Mass exploitation peaks; 40,000+ devices compromised |
| October 2023 | CISA Emergency Directive and KEV addition |
| October 2023 | Threat actor modifies implant to evade detection |
| 22 October 2023 | Cisco releases patches |
| 2023–2024 | Continued targeting of IOS XE devices with WebUI exposed |