CVE-2023-20198 Explained: Cisco IOS XE Web UI Zero-Day and the 50,000-Device Compromise
A CVSS 10.0 unauthenticated privilege escalation vulnerability in Cisco IOS XE's web management interface. Over 50,000 devices compromised within 48 hours. Chained with CVE-2023-20273 to deploy persistent implants.

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
CVE-2023-20198 is a maximum-severity (CVSS 10.0) privilege escalation vulnerability in the web UI feature of Cisco IOS XE software. An unauthenticated remote attacker can exploit this vulnerability to create a new account with privilege level 15 (full administrative access) on the target device. Cisco confirmed active exploitation as a zero-day before publishing any advisory on October 16, 2023.
Within 48 hours of public awareness, security researchers observed over 50,000 Cisco IOS XE devices compromised globally. Attackers chained CVE-2023-20198 with a second vulnerability, CVE-2023-20273, to deploy a persistent Lua-based implant that survived reboots and provided backdoor access independent of the created administrator account.
The Two-CVE Chain: Account Creation to Persistent Implant
CVE-2023-20198 affects Cisco IOS XE devices, including switches, routers, and wireless controllers, where the HTTP Server feature (web management interface) is enabled and accessible. The vulnerability allows an unauthenticated attacker to send a crafted HTTP request to the web UI that triggers a code path creating a new local user account with privilege level 15.
Privilege level 15 in IOS XE is equivalent to root in Unix systems, full enable mode access with unrestricted configuration rights. The created account is functional immediately upon creation with no email confirmation, MFA challenge, or approval workflow.
With the newly created admin account, attackers then exploited CVE-2023-20273, a command injection vulnerability in the web UI's diagnostic tools, to execute arbitrary commands as root on the IOS XE operating system. This second vulnerability elevated access from IOS-level administrator to the underlying Linux kernel running IOS XE.
The final stage: deployment of a Lua-based implant injected into the Nginx web server process. The implant accepted commands through specially crafted HTTP requests matching a specific URL pattern, providing persistent backdoor access. The implant was designed to appear in health check responses as inactive to evade detection, and was updated by attackers partway through the exploitation campaign specifically to hide from newly published detection queries.
Identify exposed IOS XE web UI
Scan for Cisco IOS XE devices with the HTTP Server feature enabled on port 80 or 443. Exposed devices are detectable via Shodan, Censys, and similar internet scan databases. Cisco estimates tens of thousands of IOS XE web UIs are internet-exposed.
Exploit CVE-2023-20198 to create admin account
Send a crafted unauthenticated HTTP request to the web management interface that triggers the account creation vulnerability, establishing a new privilege level 15 local user.
Authenticate with new account
Log into the device using the newly created administrator account. Full IOS XE configuration access is immediately available.
Exploit CVE-2023-20273 for root execution
Use the authenticated web UI to trigger CVE-2023-20273 command injection, escaping from IOS XE privilege level to the underlying Linux kernel with root privileges.
Deploy Lua implant
Inject a Lua-based malicious plugin into the Nginx web server process. The implant survives device reboots and accepts commands through HTTP requests matching a specific URI pattern.
Maintain stealth
The implant was updated during the campaign to hide from detection queries that Cisco and researchers published. This iterative evasion suggests active operational management of the compromised device fleet.
Why Network Infrastructure Vulnerabilities Are Particularly Severe
The 50,000-device compromise scale of CVE-2023-20198 is striking, but the deeper concern is what network infrastructure access enables that endpoint compromise does not.
A compromised IOS XE switch or router sits in the data path for all traffic traversing it. An attacker with root access to a network device can: capture plaintext traffic (including credentials on non-encrypted protocols), perform man-in-the-middle attacks against encrypted sessions by intercepting TLS on embedded inspection hardware, manipulate routing tables to redirect traffic flows, create persistent tunnels that bypass security monitoring, and disable port security and 802.1X controls that restrict device access to the network.
Detection is harder than for endpoint compromise. Network device agents are uncommon. EDR visibility does not extend to IOS XE. Syslog and SNMP monitoring provides limited behavioral telemetry compared to endpoint logging. The Lua implant deployed in CVE-2023-20198 exploitation specifically targeted the HTTP server process, a legitimate component, making process-based detection difficult.
The attacker's decision to update the implant mid-campaign to evade published detection methods indicates a sophisticated operator with ongoing operational awareness, monitoring security industry response and adapting in near-real-time.
“The scale of this attack is unprecedented. Over 50,000 IOS XE devices were compromised within 48 hours of public awareness, with a persistent implant designed to survive remediation.”
VulnCheck Security Research, October 2023
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Detection and Remediation for CVE-2023-20198
Cisco released patches in October and November 2023. Detection and remediation require multiple steps due to the persistence mechanism.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
The bottom line
CVE-2023-20198 is a reminder that network infrastructure is attack surface, not just the medium through which attacks traverse. Cisco IOS XE devices are not passive conduits. They are computers running an operating system, and a root-level compromise of that operating system provides capabilities that sit above, below, and around traditional endpoint security controls.
Fifty thousand compromised devices in 48 hours is an extraordinary exploitation velocity. The network operators who saw this impact fastest were those who had exposed their IOS XE web management interface directly to the internet, a configuration that provides no operational benefit that could justify the risk and should be treated as a policy violation, not just a best practice suggestion.
The durable lessons: disable management interfaces that are not operationally required, restrict those that are required to trusted source IPs only, patch network device operating systems with the same urgency as servers and endpoints, and build monitoring capability that extends below the endpoint layer to the network infrastructure itself.
This analysis is generic — the platform version scores threats like this against your own stack.
Frequently asked questions
What is CVE-2023-20198?
CVE-2023-20198 is a CVSS 10.0 unauthenticated privilege escalation vulnerability in the Cisco IOS XE web management interface. An attacker sends a crafted HTTP request to create a new administrator account without any credentials, then chains it with CVE-2023-20273 to deploy a persistent Lua implant. Over 50,000 devices were compromised within 48 hours.
How do I detect the Lua implant from CVE-2023-20198?
Query your device: curl -k -X POST https://[device-ip]/webui/logoutconfirm.html?logon_hash=1. A hexadecimal string in the response indicates implant presence. Also check for unauthorized local accounts using: show running-config | section username.
How do I fix CVE-2023-20198?
Apply Cisco's patches published in October 2023. Immediately disable the HTTP Server feature if not required (no ip http server / no ip http secure-server). Audit and remove unauthorized local user accounts. Restrict web UI access to trusted management IPs only.
What is CVE-2023-20273 and how does it relate to CVE-2023-20198?
CVE-2023-20273 is a command injection vulnerability in the Cisco IOS XE web UI used as the second stage in the same attack chain. Attackers first exploited CVE-2023-20198 to create a privilege-level-15 account without credentials, then used that account to exploit CVE-2023-20273 and deploy a persistent Lua implant with root-level OS access. Cisco patched both vulnerabilities in the same advisory. Remediating only one without the other leaves the device exploitable via the remaining vector.
Was CVE-2023-20198 exploited in the wild before a patch was available?
Yes. CVE-2023-20198 was exploited as a zero-day before Cisco published any advisory. Within 48 hours of the October 16, 2023 disclosure, Censys and VulnCheck observed more than 50,000 compromised devices with active implants. CISA added CVE-2023-20198 to the KEV catalog and issued an emergency directive requiring federal agencies to disable the IOS XE HTTP server feature on all devices pending patching.
Which Cisco devices and software versions are affected by CVE-2023-20198?
CVE-2023-20198 affects all Cisco IOS XE software versions where the web UI feature (ip http server or ip http secure-server) is enabled and reachable from untrusted networks. This includes IOS XE-based switches, routers, wireless LAN controllers, and catalyst center appliances. The vulnerability is not present in IOS XE installations where the HTTP server feature is disabled. The fixed versions were released in October 2023; the exact version table is in Cisco Security Advisory cisco-sa-iosxe-webui-privesc-j22SaA4Z.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
