Home / Threat Intelligence bulletins / Patches released for Cisco IOS XE zero-day flaws

Target Industry

Indiscriminate, opportunistic targeting.


Cisco has released security patches regarding two zero-day vulnerabilities, tracked as CVE-2023-20198 (CVSSv3.1 score: 10.0) and CVE-2023-20273 (CVSSv3.1 score 7.2). These updates have been released following the compromise of the flaws by a threat actor, in which more than 50,000 Cisco IOS XE hosts were compromised.

Cisco confirmed that a threat actor exploited CVE-2023-20198 to gain initial access to the target device and subsequently created a local account by issuing a ‘privilege 15 command’ (the most privileged level within Cisco’s permission level structure). The operation then involved the leverage of CVE-2023-20273 to elevate the privileges of the created account, with a malicious script being added to the file system.


Successful exploitation of CVE-2023-20198 and CVE-2023-20273 would almost certainly allow a threat actor to create an account on the affected system with high privilege level access. This would ultimately grant full control of the compromised system, almost certainly resulting in the compromise of the integrity of data.

Vulnerability Detection

A security patch has been released by Cisco with regards to the disclosed vulnerabilities. As such, previous product versions remain vulnerable to potential exploitation.

Affected Products

Cisco IOS XE Software.

Containment, Mitigations & Remediations

It is strongly recommended that users of the affected product apply the released security patch as soon as possible. The update can be found at the Cisco Software Download Center. The initial remediated release is available with version 17.9.4a. However, it should be noted that further updates will be released on a date yet to be disclosed.

Indicators of Compromise

Please refer to the previously released Quorum Cyber Threat Intelligence bulletin for details regarding Indicators of Compromise (IoCs).

Threat Landscape

Cisco occupies a significant portion of the enterprise network infrastructure market share. The related products are used extensively by organisations across the industry sector spectrum. Within this context, it has been assessed that cyber threat actors will almost certainly view organisations with operational protocols involving these products as prime targets as they seek to meet their pre-defined objectives.

As was previously confirmed with CVE-2023-20198, intelligence indicates that vulnerabilities related to Cisco products for which patches exist have previously been subjected to malicious cyber operations. It is therefore of critical importance to follow the recommended remediation and mitigation strategies to reduce the risk of exploitation.

Threat Group

No attribution to specific threat actors or groups has been identified at the time of writing.

Mitre Methodologies


TA0004 – Privilege Escalation

Further Information

Cisco Advisory


An Intelligence Terminology Yardstick to showing the likelihood of events