Home / Threat Intelligence bulletins / Active exploitation of Cisco IOS XE vulnerability

Target Industry

Indiscriminate, opportunistic targeting.


Cisco has disclosed details pertaining to the active exploitation of a security flaw in the Cisco IOS XE Web User Interface Software. The authentication bypass zero-day vulnerability, tracked as CVE-2023-20198 (CVSSv3 score: 10.0), impacts both physical and virtual devices running Cisco IOS XE Software that also have the HTTP or HTTPS Server feature enabled.


Successful exploitation of CVE-2023-20198 could allow a threat actor to create an account on the affected system with high privilege level access. This would grant full control of the compromised system, almost certainly resulting in the compromise of the integrity of data.

Vulnerability Detection

As of the time of writing, a security patch has yet to be released by Cisco for this vulnerability. As such, it is strongly recommended that the mitigation strategies provided are adhered to until a patch becomes available.

Affected Products

Cisco IOS XE Software

Containment, Mitigations & Remediations

Cisco recommends that users disable the HTTP Server feature on internet-facing systems to mitigate the risk of potential exploitation. Further details regarding the HTTP Server configuration can be found at the Cisco Advisory.

Indicators of Compromise

Network Indicators:

  • 154.53.56[.]231
  • 5.149.249[.]74

Administrators can implement the following investigations to determine whether or not a vulnerable system has been compromised:

  • Analyse the system logs for the presence of any specific log messages where the user could be cisco_tac_admin, cisco_support or any configured local user that is unknown to the network administrator
  • Analyse the system logs for messages whereby filenames are unknown and do not correlate with an expected file installation action.

Further details pertaining to the specific commands required to conduct these investigations can be found within the Cisco Advisory.

Threat Landscape

Cisco occupies a significant proportion of the enterprise network infrastructure market share. Given that threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on, Cisco products have become a prime target. Due to the fact that Cisco products have become an integral aspect of business operations, threat actors will continue to exploit vulnerabilities contained within the associated products in an attempt to extract the sensitive data contained therein.

Threat Group

No attribution to specific threat actors or groups has been identified at the time of writing.

Mitre Methodologies

TA0004 – Privilege Escalation


An Intelligence Terminology Yardstick to showing the likelihood of events