Cisco IOS XE Web UI Privilege Escalation Actively Exploited

Executive Summary

Cisco has released an emergency advisory for CVE-2026-2134, a high-severity privilege escalation vulnerability in the IOS XE Web UI. An authenticated attacker with read-only access can exploit the flaw to gain root-level command execution on affected devices. Cisco's PSIRT has confirmed active exploitation in the wild.

CVSS Score: 8.8

Vulnerability Overview

Root Cause

The vulnerability resides in the web-based management interface of Cisco IOS XE. Insufficient authorization checks in the REST API endpoints allow a user with Level 1 (read-only) privileges to execute commands at Level 15 (privileged EXEC) through crafted API requests.

Attack Chain

1. Attacker authenticates to IOS XE Web UI with low-privilege credentials
2. Sends crafted REST API request to /restconf/data/Cisco-IOS-XE-native:native
3. Authorization bypass allows command injection at privilege level 15
4. Attacker creates new admin account or modifies device configuration
5. Persistent backdoor established on network device

Technical Details

Affected Versions

Affected Platforms

• Cisco Catalyst 9200, 9300, 9400, 9500, 9600 Series Switches
• Cisco Catalyst 8200, 8300, 8500 Series Edge Platforms
• Cisco ISR 1000, 4000 Series Routers
• Cisco ASR 1000 Series Routers

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Indicators of Compromise

Check for Unauthorized Users

# Show all local users
show running-config | include username

# Check for recently created accounts
show aaa local user all

# Look for unauthorized privilege level 15 users
show running-config | include privilege 15

Check Web UI Access Logs

# Review HTTP server logs
show ip http server session-module

# Check for unusual API calls
show logging | include restconf

# Verify no implants
show platform software audit all

Network Indicators

• Unusual RESTCONF API calls from unexpected source IPs
• New local user accounts created on network devices
• Configuration changes outside maintenance windows
• Unexpected ACL modifications

Immediate Remediation

Option 1: Patch (Recommended)

Upgrade to the fixed IOS XE version:

# From IOS XE CLI
copy tftp://server/iosxe-17.12.4.SPA.bin flash:
install add file flash:iosxe-17.12.4.SPA.bin activate commit

Option 2: Disable Web UI (Immediate Workaround)

# Disable HTTP and HTTPS servers
configure terminal
no ip http server
no ip http secure-server
end
write memory

Note: This disables all web-based management. CLI/SSH management remains available.

Option 3: Restrict Web UI Access

# Create ACL to restrict Web UI access
ip access-list standard WEB-MGMT-ONLY
 permit 10.0.0.0 0.0.0.255
 permit 172.16.1.0 0.0.0.255
 deny any

# Apply to HTTP server
ip http access-class WEB-MGMT-ONLY
ip http secure-server access-class WEB-MGMT-ONLY

Detection Rules

Syslog Monitoring

Monitor for these syslog patterns:

%WEBUI-6-INSTALL_OPERATION: User 'readonly_user' performed configuration change via RESTCONF
%SYS-5-CONFIG_I: Configured from restconf by readonly_user
%AAA-5-USER_PRIV: User 'readonly_user' privilege changed from 1 to 15

SIEM Detection Query (Splunk)

index=network sourcetype=cisco:ios
("RESTCONF" OR "restconf") AND ("privilege" OR "CONFIG_I" OR "USER_PRIV")
| where user_priv_level < 15 AND action="configuration_change"
| stats count by src_ip, user, action

Vendor Response

Cisco PSIRT released the advisory on February 7, 2026 and:

• Published fixed software for all affected trains
• Released Cisco IOS XE Software Integrity Verification tools
• Provided indicators of compromise
• Coordinated with CISA for KEV inclusion

References

• Cisco Security Advisory — CVE-2026-2134
• Cisco IOS XE Software Integrity Assurance
• CISA KEV Catalog

Related Reading

• CVE-2026-20223: Cisco Secure Workload REST API Auth Bypass
• Cisco Patches Critical and High-Severity Vulnerabilities
• CISA Issues Emergency Directive as Cisco SD-WAN Zero-Day