Cisco IOS XE < 17.9.4a — PE

Two chained zero-days in Cisco IOS XE allow unauthenticated attackers to create a local admin account and install a persistent implant. Disable the HTTP server immediately and apply Cisco's patch — over 40,000 devices compromised within days of disclosure.

Published Oct 16, 2023 · Updated May 15, 2026

Why patchRisk explained in plain English

Worst-case scenarioIf unpatched

An unauthenticated internet attacker can create an admin account and install a persistent implant on any Cisco IOS XE device with the web UI exposed. The implant provides persistent remote access and can survive reboots. Network infrastructure including routers and switches become fully controlled by the attacker.

How the attack worksNo clicks needed

The Cisco IOS XE Web UI has a privilege escalation vulnerability (CVE-2023-20198) allowing unauthenticated attackers to create a local user account with level 15 (highest) privileges. The second CVE (CVE-2023-20273) is a command injection in the same Web UI that the newly created account can use to install an implant in the host OS with root access.

📧

Phishing link

→

🖼

Malicious file

🔓

Server compromised

Am I affected?Quick check

Probably yes if any of these apply:

●Network Engineers

●Cisco Administrators

●Network Security Team

●IT Security

●Running All Cisco IOS XE devices with the HTTP or HTTPS server feature enabled, prior to the October 2023 patch

Fixed inCisco IOS XE 17.9.4a / 17.6.6a / 17.3.8a (October 2023)

Real-world incidentsWhat we've seen

On October 16, 2023, researchers observed active exploitation creating admin accounts on thousands of Cisco devices. Within a week, over 40,000 Cisco IOS XE devices across the globe had been compromised and implanted. The attacker group appeared to be systematic and automated. Cisco released an emergency patch within 10 days of disclosure.

How to patch

Manual remediation steps

⏱ 1 hour including device reload

Immediate Action — Disable the Web UI

! On the Cisco device CLI:
no ip http server
no ip http secure-server
write memory

Check for Indicators of Compromise

# Look for unexpected local users (level 15 = privileged)
show running-config | include username

# Check for the implant (returns data if infected):
curl -k "https://<device-ip>/webui/logoutconfirm.html?logon_hash=1"
# If this returns hex data, the device is likely compromised

If Compromised

Isolate the device from the network immediately

Collect logs and configurations for forensic review

Remove unauthorized user accounts:

no username <attacker-account>

Reload the device from a known-good configuration backup

Contact Cisco TAC for implant removal guidance

Apply the Software Update

Download the patched IOS XE version from Cisco Software Center

Copy to the device:

copy tftp: flash:

Install and reload:

boot system flash:<filename>
write memory
reload

Re-enable Web UI After Patching (if required)

ip http server
ip http secure-server
ip http access-class <acl-name> in
write memory

PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

↗ CVE-2023-20198 ↗ NVD