Cisco is providing an update for the ongoing investigation into observed exploitation of the web UI feature in Cisco IOS XE Software. We are updating the list of fixed releases and adding the Software Checker. Our investigation has determined that the actors exploited two previously unknown issues. The attacker first exploited CVE-2023-20198 to gain initial access and issued a privilege 15 command to create a local user and password combination. This allowed the user to log in with normal user access. The attacker then exploited another component of the web UI feature, leveraging the new local user to elevate privilege to root and write the implant to the file system. Cisco has assigned CVE-2023-20273 to this issue. CVE-2023-20198 has been assigned a CVSS Score of 10.0. CVE-2023-20273 has been assigned a CVSS Score of 7.2. Both of these CVEs are being tracked by CSCwh87343.
CVE-2023-20198
Score elevated to 10.0 because this CVE is listed on the CISA Known Exploited Vulnerabilities catalog (added 2023-10-16), indicating real-world exploitation has been confirmed by US federal agencies. NVD baseline CVSS 10.0 retained for reference. Confidence: HIGH.
- Actively exploited in the wild (CISA-KEV)
No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.
- CVSS v3
- 10.0
- EG Score
- 10.0(high)
- EPSS
- 99.9%
- KEV
- ⚠ Exploited
Published
October 16, 2023
Last Modified
October 28, 2025
Advisory Details (2)
Auto-updated Jul 11, 2026Known Exploited Vulnerabilities Catalog | CISA
Known Exploited Vulnerabilities Catalog | CISA. Listed in CISA Known Exploited Vulnerabilities catalog.
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-20198Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4zWeakness Classification(1)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Data Freshness Timeline
(refreshed 49× in last 7d / 197× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
Showing the most recent 100 of 323 total refreshes for this CVE.
- 2026-07-17 16:46 UTCGHSA enrichment
- 2026-07-17 12:42 UTCGHSA enrichment
- 2026-07-17 08:39 UTCEG score recompute
- 2026-07-17 08:39 UTCGHSA enrichment
- 2026-07-17 04:36 UTCGHSA enrichment
- 2026-07-17 00:32 UTCGHSA enrichment
- 2026-07-16 20:30 UTCGHSA enrichment
- 2026-07-16 17:04 UTCCISA KEV update
- 2026-07-16 16:26 UTCGHSA enrichment
- 2026-07-16 12:23 UTCGHSA enrichment
- 2026-07-16 08:20 UTCGHSA enrichment
- 2026-07-16 04:17 UTCGHSA enrichment
- 2026-07-16 00:14 UTCGHSA enrichment
- 2026-07-15 20:11 UTCGHSA enrichment
- 2026-07-15 16:49 UTCCISA KEV update
- 2026-07-15 16:07 UTCGHSA enrichment
- 2026-07-15 15:04 UTCCISA KEV update
- 2026-07-15 12:04 UTCGHSA enrichment
- 2026-07-15 07:59 UTCGHSA enrichment
- 2026-07-15 03:56 UTCGHSA enrichment
- 2026-07-14 23:53 UTCGHSA enrichment
- 2026-07-14 19:50 UTCGHSA enrichment
- 2026-07-14 18:05 UTCCISA KEV update
- 2026-07-14 15:47 UTCGHSA enrichment
- 2026-07-14 11:44 UTCGHSA enrichment
Show 75 moreShow fewer
- 2026-07-14 07:41 UTCGHSA enrichment
- 2026-07-14 03:36 UTCGHSA enrichment
- 2026-07-13 23:33 UTCGHSA enrichment
- 2026-07-13 19:30 UTCGHSA enrichment
- 2026-07-13 17:07 UTCCISA KEV update
- 2026-07-13 15:27 UTCGHSA enrichment
- 2026-07-13 11:24 UTCGHSA enrichment
- 2026-07-13 07:21 UTCGHSA enrichment
- 2026-07-13 03:17 UTCGHSA enrichment
- 2026-07-12 23:14 UTCGHSA enrichment
- 2026-07-12 19:11 UTCGHSA enrichment
- 2026-07-12 15:07 UTCGHSA enrichment
- 2026-07-12 11:04 UTCGHSA enrichment
- 2026-07-12 07:01 UTCGHSA enrichment
- 2026-07-12 02:58 UTCGHSA enrichment
- 2026-07-11 22:55 UTCGHSA enrichment
- 2026-07-11 18:52 UTCGHSA enrichment
- 2026-07-11 14:50 UTCGHSA enrichment
- 2026-07-11 10:47 UTCGHSA enrichment
- 2026-07-11 08:25 UTCEPSS rescore
- 2026-07-11 08:25 UTCEPSS rescore
- 2026-07-11 06:44 UTCGHSA enrichment
- 2026-07-11 02:41 UTCGHSA enrichment
- 2026-07-10 22:37 UTCGHSA enrichment
- 2026-07-10 18:34 UTCGHSA enrichment
- 2026-07-10 17:52 UTCCISA KEV update
- 2026-07-10 14:31 UTCGHSA enrichment
- 2026-07-10 10:28 UTCGHSA enrichment
- 2026-07-10 06:24 UTCGHSA enrichment
- 2026-07-10 02:21 UTCGHSA enrichment
- 2026-07-09 22:19 UTCGHSA enrichment
- 2026-07-09 18:15 UTCGHSA enrichment
- 2026-07-09 14:11 UTCGHSA enrichment
- 2026-07-09 10:08 UTCGHSA enrichment
- 2026-07-09 06:05 UTCGHSA enrichment
- 2026-07-09 02:02 UTCGHSA enrichment
- 2026-07-08 21:58 UTCGHSA enrichment
- 2026-07-08 17:55 UTCGHSA enrichment
- 2026-07-08 13:51 UTCGHSA enrichment
- 2026-07-08 09:48 UTCGHSA enrichment
- 2026-07-08 05:45 UTCGHSA enrichment
- 2026-07-08 01:42 UTCGHSA enrichment
- 2026-07-07 21:38 UTCGHSA enrichment
- 2026-07-07 19:01 UTCCISA KEV update
- 2026-07-07 17:35 UTCGHSA enrichment
- 2026-07-07 17:16 UTCCISA KEV update
- 2026-07-07 13:32 UTCGHSA enrichment
- 2026-07-07 09:29 UTCGHSA enrichment
- 2026-07-07 05:26 UTCGHSA enrichment
- 2026-07-07 01:22 UTCGHSA enrichment
- 2026-07-06 21:18 UTCGHSA enrichment
- 2026-07-06 17:16 UTCGHSA enrichment
- 2026-07-06 13:11 UTCGHSA enrichment
- 2026-07-06 09:08 UTCGHSA enrichment
- 2026-07-06 05:05 UTCGHSA enrichment
- 2026-07-06 01:00 UTCGHSA enrichment
- 2026-07-05 20:56 UTCGHSA enrichment
- 2026-07-05 16:51 UTCGHSA enrichment
- 2026-07-05 12:47 UTCGHSA enrichment
- 2026-07-05 08:44 UTCGHSA enrichment
- 2026-07-05 04:41 UTCGHSA enrichment
- 2026-07-05 00:38 UTCGHSA enrichment
- 2026-07-04 20:35 UTCGHSA enrichment
- 2026-07-04 16:32 UTCGHSA enrichment
- 2026-07-04 12:28 UTCGHSA enrichment
- 2026-07-04 08:25 UTCGHSA enrichment
- 2026-07-04 04:22 UTCGHSA enrichment
- 2026-07-04 00:18 UTCGHSA enrichment
- 2026-07-03 20:15 UTCGHSA enrichment
- 2026-07-03 16:12 UTCGHSA enrichment
- 2026-07-03 12:09 UTCGHSA enrichment
- 2026-07-03 08:07 UTCGHSA enrichment
- 2026-07-03 04:04 UTCGHSA enrichment
- 2026-07-03 00:01 UTCGHSA enrichment
- 2026-07-02 19:58 UTCGHSA enrichment
Publicly available exploits
(10 references)Working exploit code is in the public domain (10 GitHub PoCs). Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.
- GitHub PoCW01fh4cker/CVE-2023-20198-RCEFirst seen Apr 25, 2024
CVE-2023-20198-RCE, support adding/deleting users and executing cli commands/system commands.
Open source ↗ - GitHub PoCsmokeintheshell/CVE-2023-20198First seen Nov 16, 2023
CVE-2023-20198 Exploit PoC
Open source ↗ - GitHub PoCRevoltSecurities/CVE-2023-20198First seen Nov 3, 2023
An Exploitation script developed to exploit the CVE-2023-20198 Cisco zero day vulnerability on their IOS routers
Open source ↗ - GitHub PoCfox-it/cisco-ios-xe-implant-detectionFirst seen Oct 23, 2023
Cisco IOS XE implant scanning & detection (CVE-2023-20198, CVE-2023-20273)
Open source ↗ - GitHub PoCShadow0ps/CVE-2023-20198-ScannerFirst seen Oct 23, 2023
This is a webshell fingerprinting scanner designed to identify implants on Cisco IOS XE WebUI's affected by CVE-2023-20198 and CVE-2023-20273
Open source ↗ - GitHub PoCPushkarup/CVE-2023-20198First seen Oct 23, 2023
A PoC for CVE 2023-20198
Open source ↗ - GitHub PoCiveresk/cve-2023-20198First seen Oct 20, 2023
1vere$k POC on the CVE-2023-20198
Open source ↗ - GitHub PoCsohaibeb/CVE-2023-20198First seen Oct 20, 2023
CISCO CVE POC SCRIPT
Open source ↗ - GitHub PoCTounsi007/CVE-2023-20198First seen Oct 18, 2023
CVE-2023-20198 PoC (!)
Open source ↗ - GitHub PoCZephrFish/CVE-2023-20198-CheckerFirst seen Oct 17, 2023
CVE-2023-20198 & 0Day Implant Scanner
Open source ↗
Related CVEs(same CWE)
Same CWE
10 shownCWE-420
Frequently asked(6)
What is CVE-2023-20198?
When was CVE-2023-20198 disclosed?
Is CVE-2023-20198 actively exploited?
What is the CVSS score of CVE-2023-20198?
Which products are affected by CVE-2023-20198?
How do I remediate CVE-2023-20198?
Dependency Blast Radius
Explore the affected products and dependency analysis for CVE-2023-20198
Is Your Infrastructure Affected by CVE-2023-20198?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.