Overview
A critical vulnerability tracked as CVE-2025-20198 has been discovered in Cisco IOS XE, the operating system powering the majority of Cisco enterprise routers and switches. The flaw, rated CVSS 10.0, allows an unauthenticated remote attacker to create an account with privilege level 15 (full administrator) access.
Cisco confirmed that active exploitation has been observed in the wild, with thousands of internet-facing devices already compromised.
Technical Details
The vulnerability resides in the HTTP UI feature of Cisco IOS XE when enabled and exposed to the internet. An attacker can exploit the flaw by sending a crafted HTTP request without any authentication.
Affected versions:
- Cisco IOS XE Software versions 16.x through 17.x
- All device types running the affected software with HTTP/HTTPS server enabled
Attack vector:
POST /webui/logoutconfirm.html?logon_hash=1 HTTP/1.1
Host: [target-ip]
Content-Type: application/x-www-form-urlencodedIndicators of Compromise
Check for unauthorised accounts and suspicious HTTP requests in your logs:
# Check for new privilege-15 accounts
show running-config | include username
# Check for implant presence
curl -k "https://[device-ip]/webui/" -H "Authorization: ..."Look for accounts you don’t recognise in your device configurations, especially those created in the past 72 hours.
Recommended Actions
- Disable HTTP/HTTPS server immediately if not required:
no ip http server no ip http secure-server - Apply Cisco’s emergency patch — download from Cisco’s Software Download Center
- Audit all Cisco IOS XE devices for new or unauthorised accounts
- Check firewall rules — ensure HTTP/HTTPS management interfaces are never exposed to the internet
- Enable Cisco IOS XE logging and forward to your SIEM
Impact Assessment
| Factor | Rating |
|---|---|
| CVSS Score | 10.0 (Critical) |
| Exploitation | Active in the wild |
| Authentication required | None |
| Privileges required | None |
| User interaction | None |
References
- Cisco Security Advisory
- CISA Known Exploited Vulnerabilities
- NIST NVD CVE-2025-20198
This article will be updated as new information becomes available. Organisations are urged to treat this as a critical incident and act within 24 hours.