Exploited
high
7.2
CWE
20 77 78
Advisory Published
CVE Published
Updated

CVE-2023-20273: Cisco IOS XE Web UI Command Injection Vulnerability

First published: Mon Oct 23 2023(Updated: )

A vulnerability in the web UI feature of Cisco IOS XE Software could allow an authenticated, remote attacker to inject commands with the privileges of root. This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending crafted input to the web UI. A successful exploit could allow the attacker to inject commands to the underlying operating system with root privileges.

Credit: ykramarz@cisco.com ykramarz@cisco.com

Affected SoftwareAffected VersionHow to fix
Cisco Cisco IOS XE Web UI
Cisco IOS XE>=17.3<17.3.8a
Cisco IOS XE>=17.6<17.6.6a
Cisco IOS XE>=17.9<17.9.4a
All of
Cisco IOS XE>=16.12<16.12.10a
Any of
Cisco Catalyst 3650
Cisco Catalyst 3650-12x48fd-e
Cisco Catalyst 3650-12x48fd-l
Cisco Catalyst 3650-12x48fd-s
Cisco Catalyst 3650-12x48uq
Cisco Catalyst 3650-12x48uq-e
Cisco Catalyst 3650-12x48uq-l
Cisco Catalyst 3650-12x48uq-s
Cisco Catalyst 3650-12x48ur
Cisco Catalyst 3650-12x48ur-e
Cisco Catalyst 3650-12x48ur-l
Cisco Catalyst 3650-12x48ur-s
Cisco Catalyst 3650-12x48uz
Cisco Catalyst 3650-12x48uz-e
Cisco Catalyst 3650-12x48uz-l
Cisco Catalyst 3650-12x48uz-s
Cisco Catalyst 3650-24pd
Cisco Catalyst 3650-24pd-e
Cisco Catalyst 3650-24pd-l
Cisco Catalyst 3650-24pd-s
Cisco Catalyst 3650-24pdm
Cisco Catalyst 3650-24pdm-e
Cisco Catalyst 3650-24pdm-l
Cisco Catalyst 3650-24pdm-s
Cisco Catalyst 3650-24ps-e
Cisco Catalyst 3650-24ps-l
Cisco Catalyst 3650-24ps-s
Cisco Catalyst 3650-24td-e
Cisco Catalyst 3650-24td-l
Cisco Catalyst 3650-24td-s
Cisco Catalyst 3650-24ts-e
Cisco Catalyst 3650-24ts-l
Cisco Catalyst 3650-24ts-s
Cisco Catalyst 3650-48fd-e
Cisco Catalyst 3650-48fd-l
Cisco Catalyst 3650-48fd-s
Cisco Catalyst 3650-48fq
Cisco Catalyst 3650-48fq-e
Cisco Catalyst 3650-48fq-l
Cisco Catalyst 3650-48fq-s
Cisco Catalyst 3650-48fqm
Cisco Catalyst 3650-48fqm-e
Cisco Catalyst 3650-48fqm-l
Cisco Catalyst 3650-48fqm-s
Cisco Catalyst 3650-48fs-e
Cisco Catalyst 3650-48fs-l
Cisco Catalyst 3650-48fs-s
Cisco Catalyst 3650-48pd-e
Cisco Catalyst 3650-48pd-l
Cisco Catalyst 3650-48pd-s
Cisco Catalyst 3650-48pq-e
Cisco Catalyst 3650-48pq-l
Cisco Catalyst 3650-48pq-s
Cisco Catalyst 3650-48ps-e
Cisco Catalyst 3650-48ps-l
Cisco Catalyst 3650-48ps-s
Cisco Catalyst 3650-48td-e
Cisco Catalyst 3650-48td-l
Cisco Catalyst 3650-48td-s
Cisco Catalyst 3650-48tq-e
Cisco Catalyst 3650-48tq-l
Cisco Catalyst 3650-48tq-s
Cisco Catalyst 3650-48ts-e
Cisco Catalyst 3650-48ts-l
Cisco Catalyst 3650-48ts-s
Cisco Catalyst 3650-8x24pd-e
Cisco Catalyst 3650-8x24pd-l
Cisco Catalyst 3650-8x24pd-s
Cisco Catalyst 3650-8x24uq
Cisco Catalyst 3650-8x24uq-e
Cisco Catalyst 3650-8x24uq-l
Cisco Catalyst 3650-8x24uq-s
Cisco Catalyst 3850
Cisco Catalyst 3850-12s-e
Cisco Catalyst 3850-12s-s
Cisco Catalyst 3850-12x48u
Cisco Catalyst 3850-12xs-e
Cisco Catalyst 3850-12xs-s
Cisco Catalyst 3850-16xs-e
Cisco Catalyst 3850-16xs-s
Cisco Catalyst 3850-24p-e
Cisco Catalyst 3850-24p-l
Cisco Catalyst 3850-24p-s
Cisco Catalyst 3850-24pw-s
Cisco Catalyst 3850-24s-e
Cisco Catalyst 3850-24s-s
Cisco Catalyst 3850-24t-e
Cisco Catalyst 3850-24t-l
Cisco Catalyst 3850-24t-s
Cisco Catalyst 3850-24u
Cisco Catalyst 3850-24u-e
Cisco Catalyst 3850-24u-l
Cisco Catalyst 3850-24u-s
Cisco Catalyst 3850-24xs
Cisco Catalyst 3850-24xs-e
Cisco Catalyst 3850-24xs-s
Cisco Catalyst 3850-24xu
Cisco Catalyst 3850-24xu-e
Cisco Catalyst 3850-24xu-l
Cisco Catalyst 3850-24xu-s
Cisco Catalyst 3850-32xs-e
Cisco Catalyst 3850-32xs-s
Cisco Catalyst 3850-48f-e
Cisco Catalyst 3850-48f-l
Cisco Catalyst 3850-48f-s
Cisco Catalyst 3850-48p-e
Cisco Catalyst 3850-48p-l
Cisco Catalyst 3850-48p-s
Cisco Catalyst 3850-48pw-s
Cisco Catalyst 3850-48t-e
Cisco Catalyst 3850-48t-l
Cisco Catalyst 3850-48t-s
Cisco Catalyst 3850-48u
Cisco Catalyst 3850-48u-e
Cisco Catalyst 3850-48u-l
Cisco Catalyst 3850-48u-s
Cisco Catalyst 3850-48xs
Cisco Catalyst 3850-48xs-e
Cisco Catalyst 3850-48xs-f-e
Cisco Catalyst 3850-48xs-f-s
Cisco Catalyst 3850-48xs-s
Cisco Catalyst 3850-nm-2-40g
Cisco Catalyst 3850-nm-8-10g

Remedy

Verify that instances of Cisco IOS XE Web UI are in compliance with BOD 23-02 and apply mitigations per vendor instructions. For affected products (Cisco IOS XE Web UI exposed to the internet or to untrusted networks), follow vendor instructions to determine if a system may have been compromised and immediately report positive findings to CISA.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is CVE-2023-20273?

    CVE-2023-20273 is a command injection vulnerability in the Cisco IOS XE web user interface.

  • How does CVE-2023-20273 work?

    CVE-2023-20273 allows an attacker to execute arbitrary commands on the affected system through the web user interface.

  • Is there a specific software affected by CVE-2023-20273?

    Yes, the Cisco IOS XE web user interface is affected by CVE-2023-20273.

  • How severe is CVE-2023-20273?

    CVE-2023-20273 has a severity rating of high.

  • Is there a fix available for CVE-2023-20273?

    Yes, Cisco has released a security advisory with instructions on how to mitigate the vulnerability.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203