CVE-2023-20198

ENISA EUVD: EUVD-2023-24377 ↗
Exploited in the Wild ✓ Confirmed 0-Day
Triaged: March 5, 2026 17 articles Published: 2023-10-16
VulnLookup ↗ NVD ↗ EUVD ↗ MITRE ↗ CISA KEV ↗

EPSS Score

Source: FIRST.org · 2026-05-23
94.01%
probability
This CVE has a 94.01% probability of being exploited in the next 30 days.
0% Top 99.9th percentile of all CVEs 100%

CVSS v3.1

Source: VulnerabilityLookup (CIRCL)
10
CRITICAL
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Description

VulnerabilityLookup (CNA)
Cisco is providing an update for the ongoing investigation into observed exploitation of the web UI feature in Cisco IOS XE Software. We are updating the list of fixed releases and adding the Software Checker. Our investigation has determined that the actors exploited two previously unknown issues. The attacker first exploited CVE-2023-20198 to gain initial access and issued a privilege 15 command to create a local user and password combination. This allowed the user to log in with normal user access. The attacker then exploited another component of the web UI feature, leveraging the new local user to elevate privilege to root and write the implant to the file system. Cisco has assigned CVE-2023-20273 to this issue. CVE-2023-20198 has been assigned a CVSS Score of 10.0. CVE-2023-20273 has been assigned a CVSS Score of 7.2. Both of these CVEs are being tracked by CSCwh87343.

Affected Products

Cisco
Cisco IOS XE Software
16.1.1 16.1.2 16.1.3 16.2.1 16.2.2 16.3.1

Attack Intelligence

Exploits & PoC

smokeintheshell/CVE-2023-20198

CVE-2023-20198 Exploit PoC

64 2026-03-26
W01fh4cker/CVE-2023-20198-RCE

CVE-2023-20198-RCE, support adding/deleting users and executing cli commands/system commands.

42 2024-04-25
fox-it/cisco-ios-xe-implant-detection

Cisco IOS XE implant scanning & detection (CVE-2023-20198, CVE-2023-20273)

41 2023-11-07
ZephrFish/CVE-2023-20198-Checker

CVE-2023-20198 & 0Day Implant Scanner

33 2025-12-07
Shadow0ps/CVE-2023-20198-Scanner

This is a webshell fingerprinting scanner designed to identify implants on Cisco IOS XE WebUI's affected by CVE-2023-20198 and CVE-2023-20273

33 2023-10-24
Atea-Redteam/CVE-2023-20198

CVE-2023-20198 Checkscript

20 2023-10-23
Tounsi007/CVE-2023-20198

CVE-2023-20198 PoC (!)

11 2023-10-17
Pushkarup/CVE-2023-20198

A PoC for CVE 2023-20198

8 2023-10-23
RevoltSecurities/CVE-2023-20198

An Exploitation script developed to exploit the CVE-2023-20198 Cisco zero day vulnerability on their IOS routers

7 2023-11-03
iveresk/cve-2023-20198

1vere$k POC on the CVE-2023-20198

6 2023-10-20
sohaibeb/CVE-2023-20198

CISCO CVE POC SCRIPT

4 2025-02-19
G4sul1n/Cisco-IOS-XE-CVE-2023-20198

Exploit PoC for CVE-2023-20198

3 2025-04-11
alekos3/CVE_2023_20198_Detector

This script can identify if Cisco IOS XE devices are vulnerable to CVE-2023-20198

2 2023-10-31
mr-r3b00t/CVE-2023-20198-IOS-XE-Scanner
2 2023-10-25
Vulnmachines/Cisco_CVE-2023-20198

Cisco CVE-2023-20198

2 2023-12-11
securityphoenix/cisco-CVE-2023-20198-tester

cisco-CVE-2023-20198-tester

1 2023-10-20
emomeni/Simple-Ansible-for-CVE-2023-20198
1 2023-10-17
kacem-expereo/CVE-2023-20198

Check a target IP for CVE-2023-20198

1 2023-10-24
IceBreakerCode/CVE-2023-20198
1 2023-10-25
djayaGit/cve-2023-20198-poc-cisco

CVE-2023-20198是思科IOS XE软件Web UI功能中的一个严重漏洞,允许未经身份验证的远程攻击者在受影响的系统上创建具有特权级别15的账户,从而完全控制设备。

1 2024-11-22
raystr-atearedteam/CVE-2023-20198-checker
0 2023-10-17
JoyGhoshs/CVE-2023-20198

Checker for CVE-2023-20198 , Not a full POC Just checks the implementation and detects if hex is in response or not

0 2023-10-18
reket99/Cisco_CVE-2023-20198
0 2023-10-19
ohlawd/CVE-2023-20198
0 2023-10-25
netbell/CVE-2023-20198-Fix

Check for and remediate conditions that make an IOS-XE device vulnerable to CVE-2023-20198

0 2023-12-09
sanan2004/CVE-2023-20198
0 2024-08-26
AhmedMansour93/Event-ID-193-Rule-Name-SOC231-Cisco-IOS-XE-Web-UI-ZeroDay-CVE-2023-20198-

🚨 Just completed a detailed investigation for Event ID 193: "SOC231 - Cisco IOS XE Web UI ZeroDay (CVE-2023-20198)" via @LetsDefend.io. The attacker s

0 2024-09-13
DOMINIC471/qub-network-security-cve-2023-20198

Analysis, detection, and mitigation of CVE-2023-20198 exploitation in Cisco IOS XE – QUB CSC3064 Network Security Assessment

0 2025-05-15
Arshit01/CVE-2023-20198
0 2025-06-09
Religan/CVE-2023-20198

A cybersecurity case study analysing CVE-2023-20198 in Cisco IOS XE, covering vulnerability exploitation, mitigation strategies, secure software devel

0 2025-12-15
Gill-Singh-A/CVE-2023-20198-Exploit

Proof-of-concept exploit for CVE-2023-20198, an authentication bypass vulnerability affecting Cisco IOS XE Web UI

0 2026-02-17
gustavorobertux/cisco-cve-2023-20198-checker
0 2026-03-08
telly251/forwardnetworksdemo

Demo to remediate CVE-2023-20198 using forward networks and tines

0 2026-04-10
AjayKalbhile/Cisco-SD-WAN-Auth-Bypass-Pentest

CVE-2023-20198 Authorized Pentest Report | CVSS 9.8

0 2026-04-20
34 repos — triés par ⭐ Rechercher sur GitHub ↗

Signal Intelligence

Confidence
92%
EPSS 94.01%
CVSS v3.1 10
Mentions 17
Last Seen Nov 01, 2025

CNA Information

CNA Assigner
cisco

Analyst Note

CVE-2023-20198 explicitly identified as exploited in the wild via BADCANDY attacks against unpatched Cisco IOS XE devices, with Cisco's official advisory confirming 'previously unknown' exploitation occurring before patches were available. Exploitation timing aligns with CVE publication in October 2023 and active attacks documented by ASD.

Threat Actors 40

MuddyWater
apt_group Information theft and espionage 🇮🇷 IR
Lazarus Group
apt_group Information theft and espionage 🇰🇵 KP
APT 41
apt_group Information theft and espionage 🇨🇳 CN
APT 29
apt_group Information theft and espionage 🇷🇺 RU
APT27
apt_group Information theft and espionage 🇨🇳 CN
Cobalt
apt_group Financial crime 🇷🇺 RU
APT37
apt_group Information theft and espionage 🇰🇵 KP
APT 28
apt_group Information theft and espionage 🇷🇺 RU
FIN7
apt_group Financial crime 🇷🇺 RU
Kimsuky
apt_group Information theft and espionage 🇰🇷 KR
CHRYSENE
apt_group Information theft and espionage 🇮🇷 IR
Harvester
apt_group Information theft and espionage Unknown
Leviathan
apt_group Information theft and espionage 🇨🇳 CN
Hacking Team
apt_group 🇮🇹 IT
GhostEmperor
apt_group Information theft and espionage 🇨🇳 CN
UAC-0020
apt_group 🇺🇦 UA
APT3
apt_group Information theft and espionage 🇨🇳 CN
AridViper
apt_group Information theft and espionage 🇵🇸 PS
Infy
apt_group Information theft and espionage 🇮🇷 IR
SideWinder
apt_group 🇮🇳 IN
RAZOR TIGER
apt_group Information theft and espionage 🇮🇳 IN
FamousSparrow
apt_group Information theft and espionage 🇨🇳 CN
Larva-208
apt_group 🇷🇺 RU
Earth Estries
apt_group Information theft and espionage 🇨🇳 CN
APT31
apt_group Information theft and espionage 🇨🇳 CN
APT 22
apt_group Information theft and espionage 🇨🇳 CN
RedGolf
apt_group Information theft and espionage 🇨🇳 CN
APT 6
apt_group Information theft and espionage 🇨🇳 CN
Markopolo
apt_group 🇷🇺 RU
Storm-0324
apt_group
Red Dev 17
apt_group 🇨🇳 CN
Red October
apt_group 🇷🇺 RU
The White Company
apt_group Information theft and espionage 🇨🇳 CN
Operation Red Signature
apt_group Information theft and espionage 🇨🇳 CN
Mana Team
apt_group 🇨🇳 CN
Higaisa
apt_group 🇰🇷 KR
Beijing Group
apt_group Information theft and espionage 🇨🇳 CN
LightBasin
apt_group Information theft and espionage 🇨🇳 CN
Operation Black Atlas
apt_group Financial crime
Dark Partners
apt_group

Triage Info

Decided atMar 05, 2026
Published DateOct 16, 2023