Exploitation of around 42K Cisco IOS XE devices found, no remedial update provided
In October 2023, a zero-day vulnerability, tracked as CVE-2023-20198, was discovered in Cisco IOS XE software. This vulnerability is an SNMP Remote Code Execution (RCE) flaw, which allows a remote, unauthenticated attacker to gain control over a system with full access to all commands.
As of mid-2025, Cisco has released software updates addressing this vulnerability in current IOS XE versions such as 17.15.1 and 17.17.1, where CVE-2023-20198 is explicitly listed as fixed or mitigated. Cisco’s advisories and software release notes from mid-2025 show ongoing updates that include fixes for this vulnerability, indicating a patch is available.
However, recent reports suggest that a significant number of devices remain unpatched. For instance, more than 22,000 exploited IOS XE devices were observed by researchers at Palo Alto Networks' Unit 42 team. The impacted organizations appear to be telecommunications companies providing services mainly to small business organizations and remote business users.
According to Emily Austin, a senior security researcher at Censys, they've seen an increase in the number of infected devices each time they run a manual scan on known Cisco IOS XE Web UI devices. As of Tuesday, the U.S. had the highest number of infections with 4,659 exploited devices. Censys' initial scan on Tuesday observed 34,140 infected hosts, with almost 42,000 exploited devices found to have a backdoor installed. The Philippines followed with 3,224 infected devices.
Cisco officials are working to develop a patch for the vulnerability, but as of now, there are no existing workarounds for the vulnerability. Users are urged to disable the HTTP Server feature on internet-facing systems as a temporary measure. The recommendation remains clear: users should update to the latest Cisco IOS XE software versions to protect against this zero-day.
It's crucial for all organizations using Cisco IOS XE software to prioritize the installation of the latest software updates to safeguard their systems from this persistent threat.
- Despite ongoing updates from Cisco and the availability of patches, a considerable number of Cisco IOS XE devices remain vulnerable to the CVE-2023-20198 exploit, as indicated by the high number of infected devices observed by researchers.
- The ongoing issue of unpatched devices highlights the importance of prioritizing data-and-cloud-computing cybersecurity in organizations using Cisco IOS XE software, as the vulnerability poses a significant risk, especially in light of the increased use of technology in today's digital landscape.
