CVE-2023-20273

HIGH KEV

Cisco IOS XE - Command Injection

Title source: llm

Description

A vulnerability in the web UI feature of Cisco IOS XE Software could allow an authenticated, remote attacker to inject commands with the privileges of root. This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending crafted input to the web UI. A successful exploit could allow the attacker to inject commands to the underlying operating system with root privileges.

Exploits (1)

nomisec WORKING POC 14 stars

by smokeintheshell · remote

https://github.com/smokeintheshell/CVE-2023-20273

View Code ZIP pw:eip

References (2)

[Vendor Advisory] https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z

[US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-20273

Scores

CVSS v3 7.2

EPSS 0.9216

EPSS Percentile 99.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CISA KEV 2023-10-23

VulnCheck KEV 2023-10-16

InTheWild.io 2023-10-21

ENISA EUVD EUVD-2023-24452

CWE

CWE-78

Status published

Products (50)

cisco/ios_xe 16.1.1

cisco/ios_xe 16.1.2

cisco/ios_xe 16.1.3

cisco/ios_xe 16.2.1

cisco/ios_xe 16.2.2

cisco/ios_xe 16.3.1a

cisco/ios_xe 16.3.2

cisco/ios_xe 16.3.3

cisco/ios_xe 16.3.4

cisco/ios_xe 16.3.5

... and 40 more

Published Oct 25, 2023

KEV Added Oct 23, 2023

Tracked Since Feb 18, 2026