ExtraHop Logo
Try ExtraHop
Menu iconX icon
  • Platformchevron right
  • Solutionschevron right
  • Modern NDRchevron right
  • Resourceschevron right
  • Companychevron right
User iconSign In
Contact Us

DETECTION OVERVIEW

Cisco IOS XE Exploit - CVE-2023-20198

Risk Factors

Internet-facing devices with the Cisco IOS XE web UI service enabled have been exploited. An unauthenticated attacker can gain control of a device, access sensitive traffic, and launch attacks on additional networks.

Kill Chain

Exploitation

Risk Score

87

Detection diagram
Next in Exploitation: Citrix ADC and Gateway Exploit - CVE-2019-19781

Attack Background

The web interface of Cisco Internetworking Operating System (IOS) XE has a privilege escalation vulnerability that allows attackers to create an account with administrator (level 15) privileges. To exploit this vulnerability, the attacker sends a malicious HTTP request with a SOAP payload and a double URL-encoded URI that specifies the /webui_wsma_http or /webui_wsma_https endpoints. These endpoints are normally restricted, but the vulnerability enables the restriction to be bypassed (1). The victim processes the payload and sends an HTTP response with a SOAP payload that contains the account information and a 200 status code to the attacker (2). After the account is created, the attacker can chain this exploit with an exploit of CVE-2023-20273 to install malware on the device.

Mitigation Options

Upgrade to a fixed version

MITRE ATT&CK ID

What else can RevealX do for you?

View our Periodic Table of use casesArrow pointing right