Cisco IOS XE Web UI Privilege Escalation Actively Exploited

Executive Summary

Cisco has released an emergency advisory for CVE-2026-2134, a high-severity privilege escalation vulnerability in the IOS XE Web UI. An authenticated attacker with read-only access can exploit the flaw to gain root-level command execution on affected devices. Cisco's PSIRT has confirmed active exploitation in the wild.

CVSS Score: 8.8

Vulnerability Overview

Root Cause

The vulnerability resides in the web-based management interface of Cisco IOS XE. Insufficient authorization checks in the REST API endpoints allow a user with Level 1 (read-only) privileges to execute commands at Level 15 (privileged EXEC) through crafted API requests.

Attack Chain

1. Attacker authenticates to IOS XE Web UI with low-privilege credentials
2. Sends crafted REST API request to /restconf/data/Cisco-IOS-XE-native:native
3. Authorization bypass allows command injection at privilege level 15
4. Attacker creates new admin account or modifies device configuration
5. Persistent backdoor established on network device

Technical Details

Affected Versions

IOS XE Version	Affected	Fixed Version
17.12.1 - 17.12.3	Yes	17.12.4
17.9.1 - 17.9.5	Yes	17.9.5a
17.6.x	Not affected	N/A
17.3.x	Not affected	N/A

Affected Platforms

Cisco Catalyst 9200, 9300, 9400, 9500, 9600 Series Switches
Cisco Catalyst 8200, 8300, 8500 Series Edge Platforms
Cisco ISR 1000, 4000 Series Routers
Cisco ASR 1000 Series Routers

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Indicators of Compromise

Check for Unauthorized Users

# Show all local users
show running-config | include username

# Check for recently created accounts
show aaa local user all

# Look for unauthorized privilege level 15 users
show running-config | include privilege 15

Check Web UI Access Logs

# Review HTTP server logs
show ip http server session-module

# Check for unusual API calls
show logging | include restconf

# Verify no implants
show platform software audit all

Network Indicators

Unusual RESTCONF API calls from unexpected source IPs
New local user accounts created on network devices
Configuration changes outside maintenance windows
Unexpected ACL modifications

Immediate Remediation

Option 1: Patch (Recommended)

Upgrade to the fixed IOS XE version:

# From IOS XE CLI
copy tftp://server/iosxe-17.12.4.SPA.bin flash:
install add file flash:iosxe-17.12.4.SPA.bin activate commit

Option 2: Disable Web UI (Immediate Workaround)

# Disable HTTP and HTTPS servers
configure terminal
no ip http server
no ip http secure-server
end
write memory

Note: This disables all web-based management. CLI/SSH management remains available.

Option 3: Restrict Web UI Access

# Create ACL to restrict Web UI access
ip access-list standard WEB-MGMT-ONLY
 permit 10.0.0.0 0.0.0.255
 permit 172.16.1.0 0.0.0.255
 deny any

# Apply to HTTP server
ip http access-class WEB-MGMT-ONLY
ip http secure-server access-class WEB-MGMT-ONLY

Detection Rules

Syslog Monitoring

Monitor for these syslog patterns:

%WEBUI-6-INSTALL_OPERATION: User 'readonly_user' performed configuration change via RESTCONF
%SYS-5-CONFIG_I: Configured from restconf by readonly_user
%AAA-5-USER_PRIV: User 'readonly_user' privilege changed from 1 to 15

SIEM Detection Query (Splunk)

index=network sourcetype=cisco:ios
("RESTCONF" OR "restconf") AND ("privilege" OR "CONFIG_I" OR "USER_PRIV")
| where user_priv_level < 15 AND action="configuration_change"
| stats count by src_ip, user, action

Vendor Response

Cisco PSIRT released the advisory on February 7, 2026 and:

Published fixed software for all affected trains
Released Cisco IOS XE Software Integrity Verification tools
Provided indicators of compromise
Coordinated with CISA for KEV inclusion

References

Executive Summary

CVSS Score: 8.8

Vulnerability Overview

Root Cause

Attack Chain

1. Attacker authenticates to IOS XE Web UI with low-privilege credentials
2. Sends crafted REST API request to /restconf/data/Cisco-IOS-XE-native:native
3. Authorization bypass allows command injection at privilege level 15
4. Attacker creates new admin account or modifies device configuration
5. Persistent backdoor established on network device

Technical Details

Affected Versions

IOS XE Version	Affected	Fixed Version
17.12.1 - 17.12.3	Yes	17.12.4
17.9.1 - 17.9.5	Yes	17.9.5a
17.6.x	Not affected	N/A
17.3.x	Not affected	N/A

Affected Platforms

Cisco Catalyst 9200, 9300, 9400, 9500, 9600 Series Switches
Cisco Catalyst 8200, 8300, 8500 Series Edge Platforms
Cisco ISR 1000, 4000 Series Routers
Cisco ASR 1000 Series Routers

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Indicators of Compromise

Check for Unauthorized Users

# Show all local users
show running-config | include username

# Check for recently created accounts
show aaa local user all

# Look for unauthorized privilege level 15 users
show running-config | include privilege 15

Check Web UI Access Logs

# Review HTTP server logs
show ip http server session-module

# Check for unusual API calls
show logging | include restconf

# Verify no implants
show platform software audit all

Network Indicators

Unusual RESTCONF API calls from unexpected source IPs
New local user accounts created on network devices
Configuration changes outside maintenance windows
Unexpected ACL modifications

Immediate Remediation

Option 1: Patch (Recommended)

Upgrade to the fixed IOS XE version:

# From IOS XE CLI
copy tftp://server/iosxe-17.12.4.SPA.bin flash:
install add file flash:iosxe-17.12.4.SPA.bin activate commit

Option 2: Disable Web UI (Immediate Workaround)

# Disable HTTP and HTTPS servers
configure terminal
no ip http server
no ip http secure-server
end
write memory

Note: This disables all web-based management. CLI/SSH management remains available.

Option 3: Restrict Web UI Access

# Create ACL to restrict Web UI access
ip access-list standard WEB-MGMT-ONLY
 permit 10.0.0.0 0.0.0.255
 permit 172.16.1.0 0.0.0.255
 deny any

# Apply to HTTP server
ip http access-class WEB-MGMT-ONLY
ip http secure-server access-class WEB-MGMT-ONLY

Detection Rules

Syslog Monitoring

Monitor for these syslog patterns:

%WEBUI-6-INSTALL_OPERATION: User 'readonly_user' performed configuration change via RESTCONF
%SYS-5-CONFIG_I: Configured from restconf by readonly_user
%AAA-5-USER_PRIV: User 'readonly_user' privilege changed from 1 to 15

SIEM Detection Query (Splunk)

index=network sourcetype=cisco:ios
("RESTCONF" OR "restconf") AND ("privilege" OR "CONFIG_I" OR "USER_PRIV")
| where user_priv_level < 15 AND action="configuration_change"
| stats count by src_ip, user, action

Vendor Response

Cisco PSIRT released the advisory on February 7, 2026 and:

Published fixed software for all affected trains
Released Cisco IOS XE Software Integrity Verification tools
Provided indicators of compromise
Coordinated with CISA for KEV inclusion

Affected Products

Executive Summary

Vulnerability Overview

Root Cause

Attack Chain

Technical Details

Affected Versions

Affected Platforms

CVSS v3.1 Vector

Indicators of Compromise

Check for Unauthorized Users

Check Web UI Access Logs

Network Indicators

Immediate Remediation

Option 1: Patch (Recommended)

Option 2: Disable Web UI (Immediate Workaround)

Option 3: Restrict Web UI Access

Detection Rules

Syslog Monitoring

SIEM Detection Query (Splunk)

Vendor Response

References

Affected Products

Executive Summary

Vulnerability Overview

Root Cause

Attack Chain

Technical Details

Affected Versions

Affected Platforms

CVSS v3.1 Vector

Indicators of Compromise

Check for Unauthorized Users

Check Web UI Access Logs

Network Indicators

Immediate Remediation

Option 1: Patch (Recommended)

Option 2: Disable Web UI (Immediate Workaround)

Option 3: Restrict Web UI Access

Detection Rules

Syslog Monitoring

SIEM Detection Query (Splunk)

Vendor Response

References