Cisco IOS XE < 17.9.4a — RCE

A command injection in Cisco IOS XE Web UI allows a level-15 admin account to execute commands as root. Chained with CVE-2023-20198, this enables the full zero-day exploit used to compromise 40,000+ Cisco devices. Apply Cisco's October 2023 patch.

Published Oct 23, 2023 · Updated May 10, 2026

Why patchRisk explained in plain English

Worst-case scenarioIf unpatched

Used as the second step of the attack chain, this enables attackers to install a persistent root-level implant on the IOS XE operating system. The implant survives reboots and can be used for ongoing network traffic manipulation, credential capture, and lateral movement.

How the attack worksNo clicks needed

The Cisco IOS XE Web UI has a command injection vulnerability that allows an authenticated user with high-privilege (level-15) access to inject OS commands that execute with root privileges. This vulnerability is the second step in the two-CVE chain: CVE-2023-20198 creates the admin account, and CVE-2023-20273 installs the persistent implant with root access.

Am I affected?Quick check

Probably yes if any of these apply:

●Network Engineers

●Cisco Administrators

●Network Security Team

●IT Security

●Running All Cisco IOS XE devices with the HTTP or HTTPS server enabled, prior to October 2023 patch

Fixed inCisco IOS XE 17.9.4a / 17.6.6a / 17.3.8a (October 2023)

Real-world incidentsWhat we've seen

Cisco disclosed CVE-2023-20273 alongside CVE-2023-20198 in October 2023, explaining that both were required for the full attack that compromised over 40,000 Cisco devices. The attack pattern was: (1) Use CVE-2023-20198 to create a privilege-15 admin account, (2) use CVE-2023-20273 with that account to write an implant to the host OS, (3) maintain persistent root access. See also the CVE-2023-20198 entry for the first step of this chain.

How to patch

Manual remediation steps

⏱ 1 hour including reload

This is Part of the CVE-2023-20198 Two-CVE Chain

See: cisco-ios-xe-privilege-escalation-cve-2023-20198-october-2023

Immediate Action — Disable Web UI

! Cisco IOS XE CLI:
no ip http server
no ip http secure-server
write memory

Check for Implant (both CVEs)

# Check for the implant listener:
curl -k "https://<device-ip>/webui/logoutconfirm.html?logon_hash=1"
# If response contains hex data, the device is compromised

# Check for unauthorized level-15 users (created via CVE-2023-20198):
show running-config | include username

Remove the Implant

# Reload the device from a known-good configuration
# The implant does NOT survive a reload on patched software
reload

# Remove unauthorized accounts:
no username <attacker-account>

Apply the Software Update

Download patched IOS XE from Cisco Software Center

Install and reload:

copy tftp: flash:<filename>
boot system flash:<filename>
write memory
reload

Re-enable Web UI After Patching (with ACL)

ip http server
ip http secure-server
ip http access-class <management-acl> in
write memory

PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

↗ CVE-2023-20273 ↗ NVD