- 262/2023
- Critical
Cisco has released a security recommendation to address a critical vulnerability in the web UI feature of Cisco IOS XE software when exposed to the internet or to untrusted networks.
The addressed vulnerability could allow the remote unauthenticated attacker to create accounts on the affected system with privilege level 15 access. The attacker can then use these accounts to gain control of the affected system.
Cisco IOS XE Software Web UI Privilege Escalation (CVE-2023-20198):
- CVSS: 10
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Gain Privileges
It should be highlighted that Cisco is aware of a public exploit that exists in the wild for CVE-2023-20198.
Vulnerabilities
CVE-2023-20198
Mitigations
Security update from Cisco is in progress, up till then Cisco strongly recommends that customers disable the HTTP Server feature on all internet-facing systems, and if the customers have services that require HTTP/HTTPS communication they
should restrict access to those services to trusted networks.
To disable the HTTP Server feature, use the no ip http server or no ip http secure-server command in global configuration mode. If both the HTTP server and HTTPS server are in use, both commands are required to disable the HTTP Server feature, EG-FINCIRT encourages administrators to install the patch as soon as Cisco releases the patch.