CVE-2023-20231 HIGH

CVE-2023-20231

Vendor Cisco
Product Cisco IOS XE Software
Weakness CWE-78
Published September 27, 2023
Last update December 16, 2025
View on NVD All CVEs

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

A vulnerability in the web UI of Cisco IOS XE Software could allow an authenticated, remote attacker to perform an injection attack against an affected device. This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending crafted input to the web UI. A successful exploit could allow the attacker to execute arbitrary Cisco IOS XE Software CLI commands with level 15 privileges. Note: This vulnerability is exploitable only if the attacker obtains the credentials for a Lobby Ambassador account. This account is not configured by default.

Key dates

02Disclosure timeline

September 27, 2023 CVE published
December 16, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-53256 Rizin has a command injection via RzBinInfo bclass due legacy code CVE-2012-10029 Nagios XI Network Monitor Graph Explorer Component < 1.3 Authenticated Command Injection CVE-2025-59359 OS command injection in Chaos Mesh via the cleanTcs mutation CVE-2026-48723 BrowserStack Cypress CL: Command Injection via cypress_config_file leads to arbitrary code execution through malicious browserstack.json CVE-2019-25158 pedroetb tts-api app.js onSpeechDone os command injection