The Australian Signals Directorate (ASD) recently issued a high-severity alert about an ongoing cyber attack campaign exploiting a critical vulnerability in Cisco IOS XE devices, tracked as CVE-2023-20198. This vulnerability has a perfect CVSS score of 10.0, reflecting its extreme risk, and has been actively exploited since 2023.
What is BADCANDY?
BADCANDY is a stealthy Lua-based web shell implant deployed by threat actors after exploiting the CVE-2023-20198 web UI privilege escalation vulnerability. This implant grants attackers root-level access to compromised Cisco IOS XE networking devices such as routers, switches, and wireless controllers. With this access, attackers can execute arbitrary commands, conduct network reconnaissance, and exfiltrate data.
Despite the implant’s power, it is non-persistent and disappears after a device reboot. However, attackers continuously re-exploit unpatched devices to reinstall BADCANDY, maintaining persistent control over targeted networks.
Attack Details and Impact
Exploitation begins with CVE-2023-20198, which allows an unauthenticated attacker to create a privileged local user on the device. The attacker then installs the BADCANDY implant by escalating their privileges. Survey data indicates that over 400 Cisco IOS XE devices in Australia alone were infected as of late 2025, with many still compromised.
The cybercriminal group Salt Typhoon, believed to be state-sponsored, has been linked to deploying this implant, targeting telecommunications and critical infrastructure providers globally.
What You Need to Do
- Immediate Patching: Organizations must urgently apply Cisco’s updates addressing CVE-2023-20198 and related vulnerabilities.
- Restrict Web UI Access: Limit access to the Cisco IOS XE web UI to trusted networks only or disable it entirely if possible.
- Monitor for Indicators: Watch for unusual local user accounts, unexplained network tunnels, and any suspicious configuration changes.
- Reboot and Scan Devices: Since the implant clears on reboot, device restart followed by verification can temporarily mitigate risk—but patching to prevent reinfection is critical.
Why This Matters
BADCANDY highlights the significant dangers of unpatched network infrastructure, especially devices directly exposed to the internet or less-secured internal networks. The ability of attackers to gain root access quietly and repeatedly re-infect devices puts sensitive communications and data at risk.
This alert from ASD underscores the importance of rigorous patch management and network hygiene in defending against sophisticated adversaries who exploit such vulnerabilities.
Final Thoughts
Cisco IOS XE users must treat this vulnerability and the BADCANDY implant threat seriously given the active exploitation and impact on key infrastructure. By promptly patching, hardening device access, and monitoring networks, organizations can reduce their attack surface and mitigate this risk effectively.
Stay vigilant and keep your networking equipment secured—your entire organization’s cybersecurity could depend on it.
