{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/cpes/cpe2.3orockwellautomationallen-bradley_stratix_5800_firmware/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:o:rockwellautomation:allen-bradley_stratix_5200_firmware:*:*:*:*:*:*:*:*","cpe:2.3:o:rockwellautomation:allen-bradley_stratix_5800_firmware:*:*:*:*:*:*:*:*","cpe:2.3:o:cisco:ios_xe:*:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":10,"id":"CVE-2023-20198"}],"_cs_exploited":false,"_cs_has_poc":true,"_cs_poc_references":["https://sploitus.com/exploit?id=A8131B98-2E12-5CC3-8733-6A8BA83F9771\u0026utm_source=rss\u0026utm_medium=rss"],"_cs_products":["IOS XE"],"_cs_severities":["critical"],"_cs_tags":["cisco-ios-xe","web-ui","cve-2023-20198","implant"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eThe Cisco IOS XE Software Web Management User Interface vulnerability (CVE-2023-20198) allows a remote attacker to inject code and establish persistent access to a vulnerable system. Public reports indicate active exploitation starting in September 2023, targeting Cisco IOS XE devices running vulnerable versions of the web UI. The vulnerability is triggered by specific crafted HTTP POST requests to the \u003ccode\u003e/webui/logoutconfirm.html\u003c/code\u003e endpoint. Successful exploitation allows attackers to install an implant, granting them privileged access and control over the device. This poses a significant threat to network infrastructure integrity and availability, as compromised devices can be used for lateral movement, data exfiltration, or denial-of-service attacks. The Talos Intelligence blog and the \u003ccode\u003ecisco-ios-xe-implant-scanner\u003c/code\u003e tool on Github provide additional context on this campaign.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Cisco IOS XE device with the web UI enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a crafted HTTP POST request to \u003ccode\u003e/webui/logoutconfirm.html?logon_hash=*\u003c/code\u003e to exploit CVE-2023-20198.\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation allows the attacker to inject arbitrary code into the device.\u003c/li\u003e\n\u003cli\u003eThe attacker installs a persistent implant on the compromised device, typically a web shell or reverse shell.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the implant to establish a reverse shell connection to an external command and control (C2) server.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages privileged access gained through the implant to perform reconnaissance on the network.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally to other systems within the network, exploiting trust relationships or other vulnerabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or deploys ransomware, achieving their final objective.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2023-20198 can lead to complete compromise of Cisco IOS XE devices, potentially affecting thousands of organizations globally. Attackers can gain privileged access, allowing them to reconfigure devices, intercept network traffic, and pivot to other systems on the network. This can result in data breaches, financial losses, and significant disruption of critical infrastructure. Cisco has released patches to address this vulnerability, but many devices remain unpatched and vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eCisco IOS XE Implant Access Attempt\u003c/code\u003e to detect POST requests to the vulnerable endpoint (Web.url).\u003c/li\u003e\n\u003cli\u003eInspect network traffic for suspicious POST requests targeting the \u003ccode\u003e/webui/logoutconfirm.html?logon_hash=*\u003c/code\u003e endpoint (Web.url).\u003c/li\u003e\n\u003cli\u003eUse a web vulnerability scanner to identify Cisco IOS XE devices vulnerable to CVE-2023-20198.\u003c/li\u003e\n\u003cli\u003eApply the latest security patches released by Cisco to address CVE-2023-20198.\u003c/li\u003e\n\u003cli\u003eReview and harden the web UI access controls on Cisco IOS XE devices, restricting access to authorized users only.\u003c/li\u003e\n\u003cli\u003eMonitor user-agent strings for unusual or malicious activity associated with web UI access (Web.http_user_agent).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-08T18:00:48Z","date_published":"2024-01-29T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-cisco-ios-xe-webui-exploit/","summary":"Exploitation of the Cisco IOS XE Web UI vulnerability (CVE-2023-20198) through crafted POST requests to obtain unauthorized access and maintain persistence on compromised devices.","title":"Cisco IOS XE Web UI Implant Access via CVE-2023-20198","url":"https://feed.craftedsignal.io/briefs/2024-01-cisco-ios-xe-webui-exploit/"}],"language":"en","title":"CraftedSignal Threat Feed - Cpe:2.3:o:rockwellautomation:allen-Bradley_stratix_5800_firmware:*:*:*:*:*:*:*:*","version":"https://jsonfeed.org/version/1.1"}