Skip to content
Threat Feed
critical advisory PoC updated

Cisco IOS XE Web UI Implant Access via CVE-2023-20198

Exploitation of the Cisco IOS XE Web UI vulnerability (CVE-2023-20198) through crafted POST requests to obtain unauthorized access and maintain persistence on compromised devices.

What's new

  • l2 poc_available; added CVE-2023-20198 Jul 8, 18:00 via sploitus

The Cisco IOS XE Software Web Management User Interface vulnerability (CVE-2023-20198) allows a remote attacker to inject code and establish persistent access to a vulnerable system. Public reports indicate active exploitation starting in September 2023, targeting Cisco IOS XE devices running vulnerable versions of the web UI. The vulnerability is triggered by specific crafted HTTP POST requests to the /webui/logoutconfirm.html endpoint. Successful exploitation allows attackers to install an implant, granting them privileged access and control over the device. This poses a significant threat to network infrastructure integrity and availability, as compromised devices can be used for lateral movement, data exfiltration, or denial-of-service attacks. The Talos Intelligence blog and the cisco-ios-xe-implant-scanner tool on Github provide additional context on this campaign.

Attack Chain

  1. The attacker identifies a vulnerable Cisco IOS XE device with the web UI enabled.
  2. The attacker sends a crafted HTTP POST request to /webui/logoutconfirm.html?logon_hash=* to exploit CVE-2023-20198.
  3. Successful exploitation allows the attacker to inject arbitrary code into the device.
  4. The attacker installs a persistent implant on the compromised device, typically a web shell or reverse shell.
  5. The attacker uses the implant to establish a reverse shell connection to an external command and control (C2) server.
  6. The attacker leverages privileged access gained through the implant to perform reconnaissance on the network.
  7. The attacker moves laterally to other systems within the network, exploiting trust relationships or other vulnerabilities.
  8. The attacker exfiltrates sensitive data or deploys ransomware, achieving their final objective.

Impact

Successful exploitation of CVE-2023-20198 can lead to complete compromise of Cisco IOS XE devices, potentially affecting thousands of organizations globally. Attackers can gain privileged access, allowing them to reconfigure devices, intercept network traffic, and pivot to other systems on the network. This can result in data breaches, financial losses, and significant disruption of critical infrastructure. Cisco has released patches to address this vulnerability, but many devices remain unpatched and vulnerable.

Recommendation

  • Deploy the Sigma rule Cisco IOS XE Implant Access Attempt to detect POST requests to the vulnerable endpoint (Web.url).
  • Inspect network traffic for suspicious POST requests targeting the /webui/logoutconfirm.html?logon_hash=* endpoint (Web.url).
  • Use a web vulnerability scanner to identify Cisco IOS XE devices vulnerable to CVE-2023-20198.
  • Apply the latest security patches released by Cisco to address CVE-2023-20198.
  • Review and harden the web UI access controls on Cisco IOS XE devices, restricting access to authorized users only.
  • Monitor user-agent strings for unusual or malicious activity associated with web UI access (Web.http_user_agent).

Detection coverage 2

Cisco IOS XE Implant Access Attempt

critical

Detects potential exploitation attempts of CVE-2023-20198 by monitoring POST requests to the /webui/logoutconfirm.html endpoint

sigma tactics: initial_access techniques: T1190 sources: webserver, linux

Cisco IOS XE Implant User-Agent Activity

high

Detects unusual user-agent strings associated with web UI access after the CVE-2023-20198 exploit.

sigma tactics: persistence techniques: T1190 sources: webserver, linux

Detection queries are available on the platform. Get full rules →

Indicators of compromise

4

url

TypeValue
urlhttps://sploitus.com/exploit?id=A8131B98-2E12-5CC3-8733-6A8BA83F9771
urlhttp://192.168.1.100/%2577ebui_wsma_http
urlhttp://router.company.com/%2577ebui_wsma_http
urlhttps://target.example.com/%2577ebui_wsma_http