Cybercriminals and state-sponsored actors are ramping up attacks on unpatched Cisco IOS XE devices across Australia, deploying a persistent Lua-based web shell known as BADCANDY to maintain unauthorized access.
This implant, first spotted in variations since October 2023, has seen renewed exploitation throughout 2024 and into 2025, exploiting the critical CVE-2023-20198 vulnerability in the software’s web user interface.
The Australian Signals Directorate (ASD) warns that over 400 devices were potentially compromised since July 2025, with more than 150 still infected as of late October, highlighting the ongoing threat to network infrastructure.
BADCANDY Web Shell Exploiting Unpatched Devices
The CVE-2023-20198 flaw, rated at a maximum CVSS score of 10.0, allows remote unauthenticated attackers to create highly privileged accounts on affected Cisco IOS XE routers and switches, granting full system control without credentials.
Cisco patched this zero-day in October 2023 amid active exploitation, but public exploits emerged shortly after, fueling widespread abuse by groups like the Chinese state-sponsored SALT TYPHOON.
ASD reports that attackers often apply a non-persistent patch post-compromise to hide the vulnerability, while installing BADCANDY—a lightweight implant that enables root-level command execution via a hidden URI path in an Nginx configuration file named cisco_service.conf.
Although BADCANDY vanishes upon reboot, attackers can retain access through stolen credentials or other persistence methods, making re-exploitation trivial on exposed web interfaces.
This vulnerability ranked among the top routinely exploited flaws in 2023, and ASD confirms ongoing attacks in 2025, particularly targeting internet-facing devices.
SALT TYPHOON, linked to Chinese intelligence, has leveraged similar Cisco weaknesses in global telecom breaches, often using legitimate credentials alongside exploits like CVE-2023-20198 and CVE-2023-20273.
Criminal actors and other nation-states are also reusing BADCANDY, scanning for unpatched systems and re-infecting those cleared by notifications.
The implant’s low footprint makes detection challenging without deep configuration reviews, underscoring risks to edge networks worldwide.
ASD’s Response
In response, ASD has issued bulk notifications to affected entities via service providers, urging immediate patching, reboots, and incident response since July 2025.
These efforts reduced infections from over 400 to around 150 by late October, but fluctuations suggest actors detect and re-exploit cleared devices.
A graph tracking BADCANDY implants from July to October 2025 shows a steady decline punctuated by spikes around bulk notification events in September and early October, with the line dropping from 350 in mid-July to about 138 by late October.
ASD attributes resurgences to unpatched systems left online, emphasizing that reboots alone won’t suffice without addressing the root vulnerability.
To combat this, ASD recommends reviewing running configurations for privilege 15 accounts, especially suspicious ones like “cisco_tac_admin” or those with random strings, and removing unauthorized entries.
Organizations should also scan for unknown tunnel interfaces, such as “interface tunnel[number]” with unexpected IPs, and check TACACS+ logs for changes if enabled.
Applying Cisco’s patch for CVE-2023-20198 is critical, alongside disabling the HTTP server feature and following the IOS XE hardening guide to restrict web UI access.
Rebooting removes the implant but requires post-reboot checks for lingering changes, and broader edge-device security, such as network segmentation, can prevent lateral movement.
Cisco provides indicators of compromise in its advisory to aid investigations, while ASD continues notifications to shrink the attack surface in Australia. By prioritizing these actions, networks can thwart re-exploitation and bolster defenses against evolving threats.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
