More than 150 Australian Cisco routers and switches remain infected with the BADCANDY webshell as of late October 2025, despite patches being available for over two years, Australia’s top cyber security agency warned.
The Cybersecurity Centre division of the Australian Signals Directorate (ACSC-ASD) said in an advisory that while the number of compromised devices it had seen has gone down from over 400 when BADCANDY was first discovered, many Cisco XE network routers and switches are unpatched.
ASD said the BADCANDY vulnerability is actively exploited, including in devices that the agency has sent out prior notifications for, suggesting re-infection is taking place.
It is thought that threat actors are able to detect when a BADCANDY implant is removed so they can seek to re-infect vulnerable devices.
Cisco Talos researchers first identified and named the BADCANDY implant in October 2023, shortly after threat actors began exploiting CVE-2023-20198 to compromise Cisco IOS XE devices globally.
The vulnerability carries the maximum severity score of 10.0 and allows unauthenticated attackers to create administrator accounts on vulnerable systems, remotely run commands and fully compromise the devices.
BADCANDY is described as a low equity Lua-programming language based webshell, which indicates that the implant requires minimal technical sophistication to deploy once initial access is gained.
This accessibility has made BADCANDY attractive to both criminal groups and state-sponsored actors.
Once a device has been compromised, threat actors can intercept and observe network traffic, enable persistence and move laterally in networks.
ASD identified China’s Salt Typhoon hacking group as one actor leveraging this attack vector for global espionage operations.
Rebooting will remove BADCANDY, however doing so will not reverse additional actions taken by the threat actor and will not remedy the initial vulnerability, ASD warned.
The agency recommends organisations review their running configurations for suspicious privilege 15 accounts, particularly those with random strings or names like “cisco_tac_admin”, “cisco_support”, or “cisco_sys_manager”.
Unknown tunnel interfaces in the configuration also warrant investigation.
The patch for CVE-2023-20198 must be applied to prevent re-exploitation, and access to the web user interface should also be restricted if enabled.
