Versions (5)
Version DetailsCurrent
Rev: 1 • Nov 1, 2023, 12:00 PMET EXPLOIT Cisco IOS XE Web UI Command Injection Vulnerability (CVE-2023-20273)
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco IOS XE Web UI Command Injection Vulnerability (CVE-2023-20273)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/webui/rest/softwareMgmt/installAdd"; startswith; nocase; fast_pattern; http.cookie; content:"Auth="; startswith; http.header_names; content:"|0d 0a|X-Csrf-Token|0d 0a|"; nocase; http.request_body; content:"|22|ipaddress|22|"; nocase; content:"|22|"; within:5; content:"|3a|"; within:5; content:"|3a|"; within:5; content:"|3a|"; within:5; pcre:"/^.{0,5}(?:[\x60\x3b\x7c\x26]|%60|%3b|%7c|%26|(?:[\x3c\x3e\x24]|%3c|%3e|%24)(?:\x28|%28))/R"; reference:url,blog.leakix.net/2023/10/cisco-root-privesc/; reference:url,twitter.com/joel_land/status/1719708750741639539; reference:url,sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z; reference:cve,2023-20273; classtype:attempted-admin; sid:2049007; rev:1; metadata:affected_product Cisco_IOS, attack_target Networking_Equipment, created_at 2023_11_01, cve CVE_2023_20273, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Critical, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_11_01, reviewed_at 2023_11_01, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services; target:dest_ip;)Nov 1, 2023, 12:00 PM
Nov 1, 2023, 12:00 PM
Sep 21, 2024, 3:00 AM
Aug 18, 2025, 8:35 PM
rules/emerging-exploit.rules