Cyberdudebivash

CVE-2023-20198 -Cisco IOS XE Web UI privilege escalation, mass-exploited in edge device botnets – CyberDudeBivash PostMortem Report

, , , ,
CYBERDUDEBIVASH

Author: CyberDudeBivash
Powered by: CyberDudeBivash Brand | cyberdudebivash.com
Related:cyberbivash.blogspot.com

Published by CyberDudeBivash • Date: Nov 3, 2025 (IST)

CVE-2023-20198 — Cisco IOS XE Web UI Privilege Escalation & “BadCandy” Implant (PostMortem)

This critical vulnerability in the Web UI feature of Cisco IOS XE devices allowed unauthenticated remote attackers to create privilege-15 admin accounts and then drop a root-level web shell implant (“BadCandy”), enabling large-scale edge botnet compromises. Review this post-mortem for lab reproduction, detections, IOCs, hardening, and a 30-60-90 remediation plan.CyberDudeBivash Ecosystem:Apps & Services · CyberBivash (Threat Intel) · CryptoBivash · News Portal · Subscribe: ThreatWire

TL;DR

  • CVE-2023-20198 – unauthenticated remote privilege escalation in Cisco IOS XE Web UI (CVSS 10.0). 
  • Attack chain: Exploit Web UI → create priv-15 user → exploit second flaw (CVE-2023-20273) → drop BadCandy Lua web shell. 
  • Fix now: Disable HTTP/HTTPS server on internet-facing devices, apply IOS XE fixed versions (e.g., 17.9.4a, 17.6.6a) or SMU per Cisco guidance. 

Contents

  1. 1) Context & Affected Versions
  2. 2) Lab / Environment Setup
  3. 3) Reproduction — Request → Response
  4. 4) Payloads: Account Creation & Implant Drop
  5. 5) Root Cause (Code/Config Path)
  6. 6) Detections & Hunt Queries
  7. 7) Mitigations & Hardening
  8. 8) IOCs & Artifacts
  9. 9) 30-60-90 Day Program
  10. FAQ
  11. References

1) Context & Affected Versions

Product: Cisco IOS XE software • Component: Web UI (HTTP/HTTPS server feature) • Affected versions: All versions with Web UI enabled up to fixed trains (17.9.4a, 17.6.6a, 17.3.8a) as per Cisco. 

Unauthenticated remote attacker can issue commands to create level-15 user accounts. Subsequent exploit of CVE-2023-20273 enables root-level command injection and implant installation. 

2) Lab / Environment Setup

  • Target: Cisco IOS XE device or virtual image with Web UI enabled (ip http server or ip http secure-server)
  • Attacker: Kali Linux / python exploit script / curl
  • Network/Svc: TCP port 80 or 443, Web UI endpoint (/webui/logoutconfirm.html?logon_hash=1 used to check implant) 
# Example test:
curl -k -H "Authorization: 0ff4fbf0ecffa77ce8d3852a29263e263838e9bb" \
  -X POST "https://DEVICE_IP/webui/logoutconfirm.html?logon_hash=1"
# If response returns a hex string → implant (BadCandy) likely present. :contentReference[oaicite:9]{index=9}

3) Reproduction — Request → Response

Here is a simplified reproduction of the first phase (privilege escalation via Web UI). Full exploit chain is beyond public detail but instrumented by many labs.

# Sample HTTP request (lab only)
POST /webui/login HTTP/1.1
Host: DEVICE_IP
Content-Type: application/x-www-form-urlencoded
username=&rce=1&...
# On vulnerable host → returns HTTP 200 and attacker can issue CLI commands as level-15

Followed by second step: new user logs in at level 15, exploits second component (CVE-2023-20273) to write implant and gain root.

4) Payloads — Account Creation & Implant Drop

4.1 Privilege-15 account creation

# CLI example (post exploitation)
username bad_actor privilege 15 secret MyStrongPass!
# then attacker logs in via SSH/console with new account.

4.2 “BadCandy” Implant

Implant saved at /usr/binos/conf/nginx-conf/cisco_service.conf, allows Lua-based remote command execution via POST parameters “menu”, “logon_hash”, “common_type”. 

# Example interaction:
POST /cisco_service.conf HTTP/1.1
Authorization: 
menu=2&logon_hash=&common_type=subsystem&cmd=id
# Returns root@device id output

Note: The implant is not persistent — a reboot clears it — but attacker-created accounts remain. 

5) Root Cause (Code Path / Config)

  • Web UI component allowed unauthenticated access to privileged functions via HTTP/HTTPS server (ip http server enabled). 
  • No access-control on administrative endpoints; authentication bypass in Web UI. 
  • Second vulnerability (CVE-2023-20273) allowed command injection leading to root privilege and implant drop. 
# Simplified pseudo-code:
if (webui.enabled && ip_http_server) {
  process_webui_request(request);
  if (request.cmd == create_user) { grant_priv15(user); }
}
# Then chain triggers second vulnerability to escalate to root and drop implant.

6) Detections & Hunt Queries

Network / WAF

# Generic WAF rule: block admin account creation via Web UI from untrusted networks
SecRule REQUEST_URI "@contains /webui/" "phase:2,deny,log,msg:'Possible Cisco IOS XE WebUI exploit (CVE-2023-20198)'"

SIEM / CLI Log Hunt (pseudocode)

# Search for new priv-15 users created via CLI
DeviceAudit
| where DeviceModel contains "IOS-XE"
| where NewUserPrivilege == 15
| extend username=User
| where username startswith "cisco_" or username contains "support"
| project DeviceName, TimeGenerated, username

Host / EDR

Look for unexpected file path: /usr/binos/conf/nginx-conf/cisco_service.conf and HTTP POSTs with “logon_hash” parameter.

7) Mitigations & Hardening

  1. Immediate: Disable Web UI server on all internet-facing or untrusted IOS XE devices: no ip http server and/or no ip http secure-server
  2. Patching: Apply fixed versions: 17.9.4a, 17.6.6a, 17.3.8a or SMU per vendor table. }
  3. Audit & Account Cleanup: Remove any unexpected level-15 user accounts (e.g., “cisco_tac_admin”, “cisco_support”). 
  4. Network Segmentation: Ensure management ports (HTTP/HTTPS) only accessible from trusted management network; block internet access.
  5. Reboot & Verify: Because the implant is non-persistent, rebooting the device clears it — but other persistence/victims remain. 

8) IOCs & Artifacts

TypeIndicator / PatternNotes
File Path/usr/binos/conf/nginx-conf/cisco_service.confBadCandy implant config file. 
HTTP POSTPOST /webui/logoutconfirm.html?logon_hash=1Probe command used by attackers. 
New UserUsername “cisco_tac_admin” or “cisco_support” with privilege 15Seen in multiple intrusions. 

9) 30-60-90 Day Program

Day 0-30 — Contain

  • Audit all IOS XE devices: identify those with Web UI enabled, isolate internet-exposed ones.
  • Immediate disable of HTTP/HTTPS server features and apply vendor patches.
  • Deploy honeypot/tarpit to catch exploit attempts and log malicious actor IPs.

Day 31-60 — Harden

  • Implement strict network segmentation and management-plane ACLs for all devices.
  • Harden account management: enforce MFA/AAA; rotate credentials; disable default accounts.
  • Deploy monitoring: alert on new level-15 users, config changes, unexpected reboots/log clears.

Day 61-90 — Assure

  • Conduct full IR sweep for lateral movement from edge devices into internal network.
  • Include edge device compromise in board-level risk reporting; KPIs: % patched devices, MTTD for new support-level accounts.
  • Run yearly red-team simulation of Web UI bypass exploit chain for network resilience testing.

FAQ

Has the implant persisted long-term on many devices?

No — the “BadCandy” implant is non-persistent (cleared on reboot) per Cisco/Talos. But attacker-created accounts and lateral access remain, so device still compromised. 

Which Cisco devices are at highest risk?

Any IOS XE device with Web UI enabled (ip http server or ip http secure-server) and exposed to the internet or untrusted network is at risk. Family includes Catalyst, ASR, NCS, etc.

References

CyberDudeBivash — Services, Apps & Ecosystem

  • Exploit Reproduction & Patch Validation — lab build, PoC reproduction, mitigations/WAF rules
  • Detection Engineering — SIEM content, EDR rules, edge-botnet monitoring
  • Secure Network & Edge Risk Review — management-plane hardening, device risk audit, segmentation

Apps & Products · Consulting & Services · ThreatWire Newsletter · CyberBivash (Threat Intel) · News Portal · CryptoBivash

Edureka: Edge & Network Security CoursesKaspersky: EDR/XDR for Network EdgeAliExpress WWAlibaba WW

Ecosystem: cyberdudebivash.com | cyberbivash.blogspot.com | cryptobivash.code.blog | cyberdudebivash-news.blogspot.com

Author: CyberDudeBivash • Powered by CyberDudeBivash • © 2025

 #CyberDudeBivash #Cisco #IOSXE #CVE202320198 #BadCandy #EdgeCompromise #ThreatWire

Leave a comment

Design a site like this with WordPress.com
Get started