Cisco IOS XE Web UI Privilege Escalation (CVE-2023-20273)

Overview

Following the initial disclosure of CVE-2023-20198 (CVSS 10.0), threat actors rapidly chained a second vulnerability—CVE-2023-20273—to escalate privileges and install the BadBlood implant on thousands of Cisco IOS XE devices globally.

Attack Chain

The full exploitation sequence follows this pattern:

Initial Access — CVE-2023-20198 provides unauthenticated access to the Web UI as a low-privilege user.
Privilege Escalation — CVE-2023-20273 allows the low-priv user to execute arbitrary commands as root via the webui_wsma_http or webui_wsma_https feature.
Persistence — A Lua-based backdoor (BadBlood) is written to the filesystem and loaded on boot.

# Detection: Look for unexpected Lua files in flash
show flash: | include lua

# Example implant path
flash:/.cisco_config_webx.lua

Backdoor Analysis

The implant registers a Lua handler that intercepts requests to a specific URI path pattern. It decrypts an AES-128 payload containing command instructions and exfiltrates output via DNS TXT queries.

-- Simplified representation of implant behavior
local function handle_request(req)
    local cmd = decrypt(req.query.cmd, AES_KEY)
    local pipe = io.popen(cmd)
    local out = pipe:read("*a")
    pipe:close()
    dns_exfil(base64_encode(out))
end

Network Telemetry

DNS: High volume of TXT queries to *.update-cisco[.]com
HTTP: POST requests to /webui/rest/.* with abnormally large bodies
CLI: Unexpected archive tar operations in system logs

Enterprise Response

# Upgrade path — 17.9.4a or later is required
show version
request platform software package install flash:cat9k_iosxe.17.09.04a.SPA.bin

# Post-compromise cleanup after forensics
delete /force flash:.cisco_config_webx.lua
reload

Timeline

Date	Event
2023-10-16	Initial disclosure of CVE-2023-20198
2023-10-22	CVE-2023-20273 patched; attack volume spikes
2023-11-03	CISA releases ESXi configuration script for detection

Cisco Security Advisory cisco-sa-iosxe-webui-privesc-2023-20273