← back
CVE-2023-20273

CVE-2023-20273

CVSS 7.2 HIGHEPSS 89.6%● KEVCWE-78
In short

A flaw in Cisco IOS XE's web interface allows a logged-in attacker to run system commands with administrator privileges by sending specially crafted input. This happens because the system doesn't properly validate what users type.

Technical detail

CWE-78 command injection vulnerability in Cisco IOS XE web UI due to insufficient input validation. An authenticated remote attacker can inject OS commands that execute with root privileges by submitting crafted payloads through the web interface. Successful exploitation grants complete system control.

Summary generated and translated by AI from the official description.
A vulnerability in the web UI feature of Cisco IOS XE Software could allow an authenticated, remote attacker to inject commands with the privileges of root. This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending crafted input to the web UI. A successful exploit could allow the attacker to inject commands to the underlying operating system with root privileges.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Affected products
Cisco · Cisco IOS XE Software
public PoCs found1
githubgithub.com/smokeintheshell/CVE-2023-2027314
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4zhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-20273