Cisco IOS XE zero-day vulnerability has recently become a hot topic in the cybersecurity industry. This particular vulnerability was identified within the Web UI functionality of the IOS XE software developed by Cisco. The zero-day vulnerabilities that are being actively exploited in the actual attacks are CVE-2023-20198 and CVE-2023-20273. Notably, CVE-2023-20198 has been assigned the highest CVSS score of 10, with Cisco describing this vulnerability as “a vulnerability that allows an attacker to access the victim’s system with 15-level privileges. The exploitation of the Cisco IOS XE zero-day vulnerability proves more severe than anticipated, allowing for the execution of all commands and changes to configuration settings. On October 16, Cisco issued a security advisory for these vulnerabilities, highlighting that, at present, the only recommended defense is to disable the Web UI feature of IOS XE.

Cisco IOS XE Zero-day announcement
Cisco security advisory on IOS XE zero-day vulnerabilities released on October 16

How to Detect Devices Exposed to Cisco IOS XE Zero-Day Threats

To identify devices vulnerable to Cisco IOS XE zero-day threats, use the search query ‘WebUI Product: “OpenResty”. This query searches for OpenResty products that run Cisco Web UI and allows you to find Cisco IOS XE Web UI devices that can be accessed from the internet. With the Product Filter in Criminal IP Asset Search, you can search for the IP addresses associated with specific products.

Search Query: WebUI product: “OpenResty”

Cisco IOS XE Zero-day criminal ip search result
Search results for Cisco IOS XE Web UI using product filter in Criminal IP Asset Search

The search results discovered more than 56,000 Cisco IOS XE devices running on OpenResty servers. Given Cisco’s global popularity, you can see that these devices are being used all around the world. A total of 176 countries appeared to be using Cisco IOS XE Web UI devices. Among them, the United States appeared the most with 9,599 devices, followed by the Philippines with 4,131 devices, and Peru with 4,080 devices.

Cisco IOS XE Zero-day countries affected
Statistics on countries with Cisco IOS XE Web UI devices confirmed by Criminal IP

Statistics for Autonomous System Related Cisco IOS XE Zero-Day Devices

With the Criminal IP Element Analysis, you can use the as_name filter to check the statistics for the autonomous system using devices related to the Web UI feature.

Cisco IOS XE Zero-day on criminal ip element analysis
Statistics for autonomous system related to Cisco IOS XE Web UI devices confirmed by Criminal IP Element Analysis

The autonomous systems that topped the statistics charts were ISPs providing internet access to households and companies. Filipino telecommunication company Globe Telecoms appeared the most with 2,607 devices, followed by Chilean telecommunication company CTC Corp S.A. Telefonica Empresas with 2,334 devices, and Peruvian telecommunications company America Movil Peru S.A.C with 2,113 devices. 

No security patch has been released for the existing Cisco IOS XE Web UI zero-day vulnerability. Ongoing research is investigating the potential for further exploits. If you use a Cisco IOS XE device, we recommend staying informed by checking the latest security advisories on the official site.

Check out the article on the MOVEit Zero-Day: Detecting Servers Exposed to Data Leak Attacks.

This report is based on data from Criminal IP, a Cyber Threat Intelligence search engine.  

Create a free Criminal IP account today to access the search results cited in the report and search for more extensive threat Intelligence.

Source: Criminal IP (

Related article(s):