diff --git a/_cases/2023/DIVD-2023-00038.md b/_cases/2023/DIVD-2023-00038.md
new file mode 100644
index 00000000..1d567da6
--- /dev/null
+++ b/_cases/2023/DIVD-2023-00038.md
@@ -0,0 +1,58 @@
+---
+layout: case
+title: Global Cisco IOS-XE (CVE-2023-20198) Implants
+excerpt: "An unknown threat actor is using a recent authentication bypass vulnerability (CVE-2023-20198) on Cisco IOS-XE to backdoor Cisco appliances worldwide. "
+author: Max van der Horst
+lead: Ralph Horn, Max van der Horst
+researchers:
+- Ralph Horn
+- Max van der Horst
+cves:
+- CVE-2023-20198
+product: 
+- Cisco IOS-XE
+versions: 
+- All versions of Cisco IOS-XE
+recommendation: Disable the Cisco WebUI and remove all management interfaces from the public Internet. If you have found an implant, consider starting your Incident Response procedure.
+patch_status: patch unavailable
+workaround: Disable HTTP(S) management interface access or implement an Access Control List.  
+status : Open
+start: 2023-10-17
+end: 
+timeline:
+- start: 2023-10-17
+  end:
+  event: "DIVD starts researching CVE-2023-20198."
+- start: 2023-10-17
+  end:
+  event: "DIVD takes note of growing level of implants."
+- start: 2023-10-18
+  end:
+  event: "DIVD starts scanning for implants."
+
+# You can set IPs to n/a when this case isn't about IPs (e.g. stolen credentials)
+---
+## Summary
+
+On October 16th, Cisco disclosed an authentication bypass vulnerability affecting Cisco IOS-XE appliances with CVE-ID CVE-2023-20198. An unknown threat actor is actively placing implants on the vulnerable appliances worldwide. This is a serious situation as implants allow threat actors to monitor traffic, gain access to the underlying system and move into protected networks. For additional guidance, please find the Cisco PSIRT advisory at the bottom of this page.
+
+## Recommendations
+
+No patch is currently available, therefore disable HTTP(S) access to any management interfaces if possible. If HTTP(S) access is required, implement an Access Control List to limit access.
+
+## What we are doing
+
+DIVD is scanning for implants on public-facing systems. Owners of such systems will receive a notification with this casefile and remediation steps.
+
+
+{% comment %}  Leave this here, so we see a timeline {% endcomment %}
+{% include timeline.html %}
+
+
+## More information
+
+* [CVE-2023-20198](https://nvd.nist.gov/vuln/detail/CVE-2023-20198)
+* [VulnCheck Blog](https://vulncheck.com/blog/cisco-implants)
+* [Talos Blog](https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/)
+* [Cisco Advisory](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z)
+