Critical zero-day vulnerability CVE-2023-20198 in Cisco devices where thousands of devices have already been compromised

A critical zero-day vulnerability, identified as CVE-2023-20198, has been discovered in Cisco IOS XE devices, and widespread exploitation of this flaw is already underway. This security lapse is alarmingly severe, as it allows attackers unauthenticated remote access with full administrative privileges on the compromised devices.

The Vulnerability

This security flaw resides in the Web UI of Cisco IOS XE devices — a management interface designed to provide user-friendly device administration. Although this feature is intended to be disabled by default, recent data indicates an unsettling reality: approximately 150,000 devices globally have this interface enabled, posing an immense security risk. Closer to home, in Norway, nearly 600 devices have been found with the Web UI feature active.

Research and real-time data from Shodan, a search engine for Internet-connected devices, confirm these figures. Concerned parties can copy these findings using the search string: http.html_hash:1076109428.

Current Exploit Status

As of now, a staggering number of over 30,000 devices have already been compromised due to this vulnerability, with 183 of these incidents occurring in Norway alone. Detailed insights and continuous updates on the exploit can be found here: Exploit Analysis Report. This was done by using the indicators of compromise from Talos and putting it to scan the web.

In the absence of an official patch — attackers are capitalizing on this vulnerability to install malicious implants on affected devices. These implants can grant them complete control of the device but also the integrity of the networks to which they’re connected. You can also view here to see which devices have been compromised Hosts Search – Censys

Immediate Mitigation Measures

Given the absence of a patch, the most effective interim solution is to disable the Web UI feature on any Cisco IOS XE devices within your control. It’s a necessary precaution to mitigate the risk of exploitation until Cisco releases an official fix. You can read more about how to disable the interface here Cisco IOS XE Software Web UI Privilege Escalation Vulnerability

Indicators of Compromise (IoCs)

To ascertain whether your device has been compromised, monitor for the following IoCs:

Suspicious IP addresses:

  • 5.149.249[.]74
  • 154.53.56[.]231

Unfamiliar usernames:

  • cisco_tac_admin
  • cisco_support

Cisco’s Official Guidance

While the cybersecurity community is racing against the clock, Cisco has published an advisory outlining recommendations and potential workarounds for this vulnerability. It’s crucial for all affected parties to review and adhere to these guidelines as we await a permanent security patch. Cisco’s official guidance can be accessed here: Cisco Security Advisory.


The gravity of CVE-2023-20198 cannot be overstated. With thousands of devices already compromised, the onus is on administrators and security teams worldwide to take immediate action, safeguarding their systems and data against this active threat.

Leave a Reply

Scroll to Top