Threats / Cisco / CVE-2023-20273
CVE-2023-20273
· EUVD no mirror located
· GCVE no mirror located
Verified 2026-06-22
Cisco IOS XE Web UI vulnerability
Cisco IOS XE Web UI contains a command injection vulnerability (CWE-78) that can be chained with CVE-2023-20198 to achieve root privilege escalation and implant deployment. Active exploitation observed in the wild.
Verdict
Today item — known-exploited.
Command injection in the web interface allows unauthenticated or low-privileged attackers to execute arbitrary OS commands. When combined with authentication bypass, this enables full system compromise and persistent malware installation on network infrastructure.
01
Is it exploitable?
— the evidence, ranked above the scoreExploit available
Fully weaponized — public exploit code is cataloged for this vulnerability.We link the existence of the exploit; we do not host or redistribute payloads.
Reported exploitation
36 independent public reports of in-the-wild exploitation are cataloged.Distinct reporting sources (vendor, incident response, government); open them for the underlying claims.
Exploited in the wild
Listed in the CISA Known Exploited Vulnerabilities catalog (added 2023-10-23).
Probability (EPSS)
EPSS 0.89634 — modeled likelihood of exploitation activity.EPSS is a daily-changing model output — open the source for today's value.
Severity / affected
Affected: Cisco, Cisco IOS XE Web UI. Confirm exact fixed builds in the vendor advisory.
Weakness (CWE)
Mapped to CWE-78 OS Command Injection — weakness family: Injection.CWE assignment from the public NVD record; the weakness class drives how the flaw is exploited.
02
Who’s exploiting it?
— attribution turns risk into urgencyAttribution not established
No confirmed (advisory-backed) threat-actor attribution is established for this record. Absence of a named actor is not absence of compromise — see Coverage & confidence.
03
Why it matters
— the attack path, told twice: adversary, then board1
Front door — unauthenticated access narrative 1
Attacker
I inject shell metacharacters into web UI parameters to break out of intended command context and execute arbitrary system commands.
Business
Network device is compromised with attacker-controlled code execution at application privilege level.
2
Keys to the kingdom — privilege/identity takeover narrative 2
Attacker
I chain this with CVE-2023-20198 to create a new local user account with known credentials on the compromised device.
Business
Attacker gains persistent authenticated access to the device for future exploitation.
3
Lateral reach — past segmentation narrative 3
Attacker
I leverage the new user account to escalate privileges to root through the command injection vector.
Business
Attacker achieves unrestricted system-level control of critical network infrastructure.
4
Data at risk — exfiltration narrative 4
Attacker
I write malicious implants or backdoors to the file system with root permissions, ensuring persistence across reboots.
Business
Organization loses control of network edge device; attacker maintains long-term access for lateral movement and data exfiltration.
04
What to do
— defensible action- Remediate per the vendor advisory — confirm the fixed build for your version and verify exposure.1
Say it to the boardA vulnerability with this evidence profile is a defensible budget line, not a backlog ticket — fund the change against the proof above.
05