Cybercriminals and state-sponsored actors are ramping up attacks on unpatched Cisco IOS XE devices across Australia, deploying a persistent Lua-based web shell known as BADCANDY to maintain unauthorized access.<\/p>\n
This implant, first spotted in variations since October 2023, has seen renewed exploitation throughout 2024 and into 2025, exploiting the critical CVE-2023-20198 vulnerability in the software\u2019s web user interface.<\/p>\n
The Australian Signals Directorate (ASD) warns that over 400 devices were potentially compromised since July 2025, with more than 150 still infected as of late October, highlighting the ongoing threat to network infrastructure.\u200b<\/p>\n
BADCANDY Web Shell Exploiting Unpatched Devices<\/strong><\/h2>\nThe CVE-2023-20198<\/a> flaw, rated at a maximum CVSS score of 10.0, allows remote unauthenticated attackers to create highly privileged accounts on affected Cisco IOS XE routers and switches, granting full system control without credentials.<\/p>\nCisco patched this zero-day in October 2023 amid active exploitation, but public exploits emerged shortly after, fueling widespread abuse by groups like the Chinese state-sponsored SALT TYPHOON<\/a>.<\/p>\nASD reports that attackers often apply a non-persistent patch post-compromise to hide the vulnerability, while installing BADCANDY\u2014a lightweight implant that enables root-level command execution via a hidden URI path in an Nginx configuration file named cisco_service.conf.<\/p>\n
Although BADCANDY vanishes upon reboot, attackers can retain access through stolen credentials or other persistence methods, making re-exploitation trivial on exposed web interfaces.\u200b<\/p>\n
This vulnerability ranked among the top routinely exploited flaws in 2023, and ASD confirms ongoing attacks in 2025, particularly targeting internet-facing devices.<\/p>\n
SALT TYPHOON, linked to Chinese intelligence, has leveraged similar Cisco weaknesses in global telecom breaches, often using legitimate credentials alongside exploits like CVE-2023-20198 and CVE-2023-20273<\/a>.<\/p>\nCriminal actors and other nation-states are also reusing BADCANDY, scanning for unpatched systems and re-infecting those cleared by notifications.<\/p>\n
The implant\u2019s low footprint makes detection challenging without deep configuration reviews, underscoring risks to edge networks worldwide.\u200b<\/p>\n
ASD\u2019s Response<\/strong><\/h2>\nIn response, ASD has issued bulk notifications to affected entities via service providers, urging immediate patching, reboots, and incident response since July 2025.<\/p>\n
These efforts reduced infections from over 400 to around 150 by late October, but fluctuations suggest actors detect and re-exploit cleared devices.<\/p>\n
A graph tracking BADCANDY implants from July to October 2025 shows a steady decline punctuated by spikes around bulk notification events in September and early October, with the line dropping from 350 in mid-July to about 138 by late October. <\/p>\n
ASD attributes resurgences to unpatched systems left online, emphasizing that reboots alone won\u2019t suffice without addressing the root vulnerability.<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg2wnu_ZRDhbt9gsPoBbcFcOcEw8nx-SQZ971KlgKoE1zqKG9dh4TF1opfZih3T5Ub9W-ebRrOE_Uw2LV0Tg75dh8SndYYA7_ousRSV9UTEDADXG_UHNB-DDyql1IW1Ocrzj1ARFfWzGz-3uVAZMc_xNXuhfDTNbqdzy6xrG29Wv888FkgU_kE0jjQjcNNc\/s16000\/Cisco%2520IOS%2520XE.webp?ssl=1\")
<\/figure>\nTo combat this, ASD recommends reviewing running configurations for privilege 15 accounts, especially suspicious ones like \u201ccisco_tac_admin\u201d or those with random strings, and removing unauthorized entries.<\/p>\n
Organizations should also scan for unknown tunnel interfaces, such as \u201cinterface tunnel[number]\u201d with unexpected IPs, and check TACACS+ logs for changes if enabled.<\/p>\n
Applying Cisco\u2019s patch for CVE-2023-20198<\/a> is critical, alongside disabling the HTTP server feature and following the IOS XE hardening guide to restrict web UI access.<\/p>\nRebooting removes the implant but requires post-reboot checks for lingering changes, and broader edge-device security, such as network segmentation, can prevent lateral movement.<\/p>\n
Cisco provides indicators of compromise in its advisory to aid investigations, while ASD continues notifications to shrink the attack surface in Australia. By prioritizing these actions, networks can thwart re-exploitation and bolster defenses against evolving threats.\u200b<\/p>\n
Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\nThe post Hackers Exploiting Cisco IOS XE Vulnerability in the Wild to Deploy BADCANDY Web Shell<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n
Cisco patched this zero-day in October 2023 amid active exploitation, but public exploits emerged shortly after, fueling widespread abuse by groups like the Chinese state-sponsored SALT TYPHOON<\/a>.<\/p>\n ASD reports that attackers often apply a non-persistent patch post-compromise to hide the vulnerability, while installing BADCANDY\u2014a lightweight implant that enables root-level command execution via a hidden URI path in an Nginx configuration file named cisco_service.conf.<\/p>\n Although BADCANDY vanishes upon reboot, attackers can retain access through stolen credentials or other persistence methods, making re-exploitation trivial on exposed web interfaces.\u200b<\/p>\n This vulnerability ranked among the top routinely exploited flaws in 2023, and ASD confirms ongoing attacks in 2025, particularly targeting internet-facing devices.<\/p>\n SALT TYPHOON, linked to Chinese intelligence, has leveraged similar Cisco weaknesses in global telecom breaches, often using legitimate credentials alongside exploits like CVE-2023-20198 and CVE-2023-20273<\/a>.<\/p>\n Criminal actors and other nation-states are also reusing BADCANDY, scanning for unpatched systems and re-infecting those cleared by notifications.<\/p>\n The implant\u2019s low footprint makes detection challenging without deep configuration reviews, underscoring risks to edge networks worldwide.\u200b<\/p>\n In response, ASD has issued bulk notifications to affected entities via service providers, urging immediate patching, reboots, and incident response since July 2025.<\/p>\n These efforts reduced infections from over 400 to around 150 by late October, but fluctuations suggest actors detect and re-exploit cleared devices.<\/p>\n A graph tracking BADCANDY implants from July to October 2025 shows a steady decline punctuated by spikes around bulk notification events in September and early October, with the line dropping from 350 in mid-July to about 138 by late October. <\/p>\n ASD attributes resurgences to unpatched systems left online, emphasizing that reboots alone won\u2019t suffice without addressing the root vulnerability.<\/p>\n To combat this, ASD recommends reviewing running configurations for privilege 15 accounts, especially suspicious ones like \u201ccisco_tac_admin\u201d or those with random strings, and removing unauthorized entries.<\/p>\n Organizations should also scan for unknown tunnel interfaces, such as \u201cinterface tunnel[number]\u201d with unexpected IPs, and check TACACS+ logs for changes if enabled.<\/p>\n Applying Cisco\u2019s patch for CVE-2023-20198<\/a> is critical, alongside disabling the HTTP server feature and following the IOS XE hardening guide to restrict web UI access.<\/p>\n Rebooting removes the implant but requires post-reboot checks for lingering changes, and broader edge-device security, such as network segmentation, can prevent lateral movement.<\/p>\n Cisco provides indicators of compromise in its advisory to aid investigations, while ASD continues notifications to shrink the attack surface in Australia. By prioritizing these actions, networks can thwart re-exploitation and bolster defenses against evolving threats.\u200b<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post Hackers Exploiting Cisco IOS XE Vulnerability in the Wild to Deploy BADCANDY Web Shell<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nASD\u2019s Response<\/strong><\/h2>\n
<\/figure>\n