""ET INFO Cisco IOS XE Web Server execCLI in SOAP (CVE-2023-20198) (Inbound)""

SID: 2048943

Revision: 1

Class Type: misc-activity

Metadata: attack_target Networking_Equipment, created_at 2023_10_30, cve CVE_2023_20198_CVE_2023_20198, deployment Perimeter, deployment SSLDecrypt, confidence Medium, signature_severity Informational, updated_at 2023_10_30, reviewed_at 2023_10_30

Reference:

  • cve

  • 2023-20198

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: any

Destination Network: [$HOME_NET,$HTTP_SERVERS]

Destination Port: any

Flow: established,to_server

Contents:

  • Value: "POST"

  • Value: "|3c 2f|wsse|3a|Username|3e 20 3c|wsse|3a|Password|3e|"

  • Value: "|3c 2f|cmd|3e 20 3c 2f|execCLI|3e|"

Within:

PCRE:

Special Options:

  • http_method

  • http_client_body

  • http_client_body

  • fast_pattern

source