BadCandy Webshell threatens unpatched Cisco IOS XE devices, warns Australian government
November 01, 2025
Australia warns of attacks on unpatched Cisco IOS XE devices exploiting CVE-2023-20198, allowing BadCandy webshell install.
The Australian Signals Directorate (ASD) warns of ongoing attacks on unpatched Cisco IOS XE devices exploiting CVE-2023-20198, allowing BadCandy webshell infections and admin takeover.
“Cyber actors are installing an implant dubbed ‘BADCANDY’ on Cisco IOS XE devices that are vulnerable to CVE-2023-20198. Variations of the BADCANDY implant have been observed since October 2023, with renewed activity notable throughout 2024 and 2025.” reads the alert issued by the ASD.
An attacker can exploit the vulnerability CVE-2023-20198 (CVSS score 10) in its IOS XE Software to gain administrator privileges and take over vulnerable routers. The advisory published by the vendor states that the exploitation of the vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access.
The flaw affects physical and virtual devices running with the Web User Interface (Web UI) feature enabled and that have the HTTP or HTTPS Server feature in use.
Since July 2025, the Australian agency observed over 400 devices potentially compromised with BADCANDY in the country. As of late October 2025, over 150 devices compromised with BADCANDY in Australia are still exposed online.
BADCANDY is a Lua-based webshell exploiting CVE-2023-20198 on Cisco IOS XE devices. It’s non-persistent after reboot, but attackers may retain access via stolen credentials. Patching and restricting web UI access are required to prevent re-exploitation.
“ASD believes actors are able to detect when the BADCANDY implant is removed and are re-exploiting the devices. This further highlights the need to patch against CVE-2023-20198 to avoid re-exploitation.” continues the alert.
ASD is notifying affected entities, providing patching, reboot, hardening, and incident response guidance. The agency will continue alerts to ensure operators know their devices were compromised.
Government experts recommend operators to remove BADCANDY by reviewing and deleting unauthorized privileged accounts, checking unknown tunnel interfaces, and monitoring configuration changes via TACACS+ logging.
Organizations should follow Cisco guidance: disable the HTTP server feature and apply the IOS XE hardening guide to prevent future BADCANDY compromises.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, Cisco IOS XE)
