# CVE-2023-20198
CVE-2023-20198 Checkscript based on:
Including the updated where there is an Authorization header to check for the known implant. 

!! Upgraded to look for upgraded implant 

The script checks length of returned response with code 200, and checks if length is shorter then 32 characters. Each IP returning shorter length than 32 chars should be checked to se if device is compromised. This script *only* gives you an indicator, not proof that the device is compromised.

The script also checks if the implant has been upgraded, as dicovered by Fox-IT:



and enter you desired subnet to scan. For example:

python CVE-2023-20198

Enter the subnet (CIDR notation):

IP: - Error: no reply

IP: - Error: no reply

IP: - Status: 200

IP: - Response is a potentially suspicious: 

IPs with status code 200, suspicious length, should be checked:


IPs with status code 200, but no IOC: