Detections
Analytics

Rockwell Automation Stratix 5800 & 5200 Cisco IOS XE Web UI Privilege Escalation (CVE-2023-20198)

critical Tenable OT Security Plugin ID 501759

Synopsis

The remote OT asset is affected by a vulnerability.

Description

Rockwell Automation is aware of active exploitation of a previously unknown vulnerability in the Web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks. This vulnerability allows a remote, unauthenticated threat actor to create an account on a vulnerable system with privilege level 15 access. The threat actor could then potentially use that account to gain control of the affected system.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

Solution

The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original can be found at CISA.gov.

Rockwell Automation strongly encourages users to follow guidance disabling Stratix HTTP servers on all internet-facing systems.

- To disable the HTTP Server feature, use the no ip http server or no ip http secure-server command in global configuration mode. If both the HTTP server and HTTPS server are in use, both commands are required to disable the HTTP Server feature.
- Cisco Talos has provided Indicators of Compromise and Snort rules that can be found here.
- Access Control Lists should be enabled to only allow specific IP addresses to access the Web UI of the device.
Detailed instructions on how to create the Access Control List is in QA67053. (Login required)
- When implementing access controls for these services, be sure to review the controls because there is the potential for an interruption in production services.

For more information, see Rockwell Automation's Security Advisory.

See Also

http://www.nessus.org/u?059a6d2a

http://www.nessus.org/u?1506d35e

Plugin Details

Severity: Critical

ID: 501759

File Name: tenable_ot_rockwell_CVE-2023-20198.nasl

Version: 1.11

Type: remote

Family: Tenable.ot

Published: 10/24/2023

Updated: 2/14/2026

Supported Sensors: Tenable OT Security

Risk Information

VPR

Risk Factor: Critical

Score: 10.0

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2023-20198

CVSS v3

Risk Factor: Critical

Base Score: 10

Temporal Score: 9.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:rockwellautomation:allen-bradley_stratix_5800_firmware, cpe:/o:rockwellautomation:allen-bradley_stratix_5200_firmware

Required KB Items: Tenable.ot/Rockwell

Exploit Available: true

Exploit Ease: Exploits are available

CISA Known Exploited Vulnerability Due Dates: 10/20/2023

Exploitable With

Core Impact

Metasploit (Cisco IOX XE Unauthenticated RCE Chain)

Reference Information

CVE: CVE-2023-20198

CWE: 420

ICSA: 23-297-01