BIPI
BIPI

Cisco IOS XE October 2023: Web UI Off, Implants On

Threat Intelligence

CVE-2023-20198 and CVE-2023-20253 chained an authentication bypass with a privilege escalation in the Cisco IOS XE Web UI. Tens of thousands of internet-exposed devices were implanted in days. The network-device supply-chain implications are still working through the industry.

By Arjun Raghavan, Security & Systems Lead, BIPI · April 27, 2024 · 8 min read

#cisco#ios-xe#zero-day#network

Network devices are the unloved attack surface. They run continuously, get patched rarely, and frequently sit behind credentials that have not changed since the rack was deployed. October 2023 was the month Cisco IOS XE customers learned that the Web UI on those devices was a zero-click privilege grant. Internet-wide scanners counted tens of thousands of compromised devices within a week of disclosure.

Timeline

  1. September 18, 2023: Cisco's TAC observes anomalous activity on a customer device. Investigation opens.
  2. October 16, 2023: Cisco discloses CVE-2023-20198, an authentication bypass in the Web UI scoring CVSS 10.0. Customers are advised to disable the Web UI immediately.
  3. October 17 through 18: internet scanning by VulnCheck, Censys, and others identifies more than 40,000 implanted devices. The implant count starts dropping rapidly as the attacker appears to update tooling.
  4. October 20, 2023: a second CVE, CVE-2023-20253, is disclosed. This was the privilege escalation portion of the chain.
  5. October 22, 2023: patched IOS XE images become available. Cisco also publishes implant-detection commands.
  6. Late October 2023: the visible implant count drops to a few thousand. Researchers conclude the attacker rotated to a stealthier implant rather than the cleanup story Cisco initially considered.

Root cause

CVE-2023-20198 allowed an unauthenticated attacker to create a level-15 (privileged) account through a Web UI endpoint. CVE-2023-20253 then allowed that account to write arbitrary content to the filesystem via a path traversal, enabling persistence. The structural cause was an internet-exposed device management interface on production routing infrastructure, combined with input handling flaws in code paths that received remote requests.

If your edge router has a public-facing admin UI, the patch cadence of that UI is the patch cadence of your network.

Attacker actions

The implant was a Lua web shell loaded via the IOS XE nginx process. After installation it accepted commands through an HTTP endpoint and returned output. Detection required a specific curl probe to a path Cisco published. The actor cluster has not been formally attributed to date, but the speed of the campaign and the rapid implant-tooling rotation are consistent with a well-resourced operation, likely state-aligned.

Detection signals

  • New IOS XE local accounts at privilege level 15 that did not come from the operator's provisioning system.
  • Unexpected POSTs to /webui_wsma_https or similar Web UI endpoints from internet IPs.
  • Cisco's published curl probe: a request that returns a long hex string indicates the implant.
  • Outbound TCP from network devices to non-management destinations. Network device egress should be minimal and known.

Lessons

  • Disable management UIs that do not need to be on. The Web UI in IOS XE is not required for normal operation; many shops never log in to it.
  • Take all network device management interfaces off the public internet. VPN or out-of-band management network only.
  • Send device logs and configuration snapshots to a central store. Drift detection is the cleanest persistence detection.
  • Plan for the firmware-implant scenario. Reimaging a router is not a Tuesday afternoon task; pre-staged configuration and golden images shorten the response.

The Cisco campaign closed 2023 the way the year ran: a vendor zero-day, mass exploitation, and a defender community catching up by IOC. The next round of network-device incidents is on the calendar. The defensive question is whether your routers and switches sit inside the same observability and patch discipline as your servers. In most organizations, they still do not. That gap is the next campaign's runway.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.