Vulnerability Watch

Forum Discussion

scaveza's avatar
scaveza
Product Team
3 years ago

CVE-2023-20198: Zero-Day Vulnerability in Cisco IOS XE...

CVE-2023-20198: Zero-Day Vulnerability in Cisco IOS XE Exploited in the Wild

On October 16, Cisco’s Talos published a blog post warning of a zero-day vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software that has been exploited in the wild by unknown threat actors. According to the security advisory, CVE-2023-20198 is a privilege escalation vulnerability affecting Cisco IOS XE software, receiving the highest possible CVSS score of 10. Successful exploitation of this vulnerability would allow an attacker to create a user account with full administrative privileges.

At this time, patches are not yet available to remediate this vulnerability. However Cisco’s security advisory does provide mitigation guidance to apply immediately to prevent exploitation of affected devices.

For more information, please visit our blog.

Cyber Exposure Alerts

1 Reply

  • drrobbins's avatar
    drrobbins
    Connect Contributor
    2 years ago

    As of 2023-12-14, the blog states that Cisco has not released updates for this critical zero-day yet. And Tenable plugin revisions for these findings still reflect that.

    However, Cisco's since released many updates, and I think the blog and Tenable plugins need to be revised to determine patch level of endpoint for the CVE.

    Here's just a sample of IOS XE versions and their released patch:

    VERSION first fixed in:

    16.9.3 first fixed in: 16.12.10a

    16.12.8 first fixed in: 16.12.10a

    16.9.4 first fixed in: 16.12.10a

    16.12.4 first fixed in: 16.12.10a

    16.3.5 first fixed in: 16.12.10a

    16.9.2 first fixed in: 16.12.10a

    16.6.5 first fixed in: 16.12.10a

    16.8.1 first fixed in: 16.12.10a

    16.3.7 first fixed in: 16.12.10a

    16.6.3 first fixed in: 16.12.10a

    16.6.2 first fixed in: 16.12.10a

    16.6.1 first fixed in: 16.12.10a

    16.6.4 first fixed in: 16.12.10a

    16.12.3s first fixed in: 16.12.10a

    16.9.5 first fixed in: 16.12.10a

    16.12.5b first fixed in: 16.12.10a

    16.12.3a first fixed in: 16.12.10a

    16.10.1 first fixed in: 16.12.10a

    16.6.9 first fixed in: 16.12.10a

    16.12.3 first fixed in: 16.12.10a

    16.12.2 first fixed in: 16.12.10a

    16.11.1 first fixed in: 16.12.10a

    16.3.3 first fixed in: 16.12.10a

    16.3.6 first fixed in: 16.12.10a

    16.4.2 first fixed in: 16.12.10a

    16.12.1 first fixed in: 16.12.10a

    16.2.1 first fixed in: 16.12.10a

    16.6.7 first fixed in: 16.12.10a

    16.6.6 first fixed in: 16.12.10a

    16.12.5 first fixed in: 16.12.10a

    17.3.4a first fixed in: 17.3.8a

    17.3.5 first fixed in: 17.3.8a

    17.3.4 first fixed in: 17.3.8a

    17.3.2 first fixed in: 17.3.8a

    17.3.3 first fixed in: 17.3.8a

    17.3.6 first fixed in: 17.3.8a

    17.6.4 first fixed in: 17.6.5a or 17.6.6a

    17.5.1 first fixed in: 17.6.5a or 17.6.6a

    17.6.3a first fixed in: 17.6.5a or 17.6.6a

    17.6.1a first fixed in: 17.6.5a or 17.6.6a

    17.6.5 first fixed in: 17.6.5a or 17.6.6a

Recent Discussions