BADCANDY
Categories

ASD Warns of Ongoing BADCANDY Attacks Exploiting Cisco IOS XE Vulnerability

The Australian Signals Directorate (ASD) has issued a national cybersecurity alert warning that hundreds of Cisco IOS XE devices in Australia remain compromised by a malicious implant known as BADCANDY. The malware is being deployed through a critical flaw in Cisco’s software identified as CVE-2023-20198, which allows attackers to create hidden administrator accounts and take full control of vulnerable network equipment.

This new bulletin confirms that the same vulnerability, originally discovered in 2023 and linked to state and criminal groups, continues to be exploited throughout 2024 and 2025. The implant allows attackers to run commands, disguise system status, and potentially re-infect devices even after removal if the core flaw remains unpatched.

Table of Contents

What is BADCANDY

BADCANDY is a Lua-based web shell that allows remote attackers to control network devices running Cisco IOS XE software. Once installed, the implant gives the attacker the ability to execute commands directly on the router or switch, modify settings, and move deeper into the connected network. It is considered a “low equity” implant, meaning it is simple, fast to deploy, and often used in widespread opportunistic campaigns rather than deep espionage operations.

The malware has been seen in the wild since late 2023, but activity has surged again through 2024 and 2025, showing that many organizations still have not patched the vulnerable software. For background on similar threats, visit our malware and cybersecurity coverage.

How the exploitation works

The BADCANDY attacks exploit CVE-2023-20198, a critical remote code execution flaw affecting Cisco IOS XE’s web user interface. The vulnerability allows anyone on the internet to create a new administrative account without authentication, giving them complete control of the affected device. Once they have access, attackers can upload a Lua script that runs on the system and hides itself behind legitimate web traffic.

This flaw received a perfect 10.0 CVSS score and has been used by several advanced threat actors, including the group known as Salt Typhoon. Cisco confirmed that both physical and virtual IOS XE devices with the web UI feature enabled are at risk, especially if exposed directly to the internet.

Impact in Australia

ASD reports that more than 400 Cisco IOS XE devices in Australia were compromised by BADCANDY between July and October 2025. About 150 of those infections occurred in October alone. Analysts believe that threat actors are actively monitoring for devices where the implant is removed and immediately reinfecting them if they remain unpatched.

The agency warns that even though the BADCANDY implant does not survive a reboot, the attacker’s access may continue through stolen credentials or backdoor accounts. This means simply restarting the device does not eliminate the threat unless patches and configuration fixes are applied.

Technical behavior and persistence

BADCANDY is notable for being a non-persistent Lua script that runs inside the Cisco IOS XE environment. It is loaded via the web interface and used to execute arbitrary commands on the device. After installation, attackers may apply a temporary patch to make it appear that the system is no longer vulnerable, masking the infection from administrators.

Because the implant is wiped after a reboot, many victims believe they are clean even though the underlying vulnerability remains. Once attackers detect that the system is online again and still unpatched, they can simply redeploy the implant. This loop has allowed the same routers to be reinfected repeatedly throughout 2025.

Who is behind the attacks

While ASD did not attribute the latest wave to a specific group, past incidents using CVE-2023-20198 have been tied to both state-sponsored actors and criminal groups. Previous activity linked to Salt Typhoon and other China-based actors suggests that the BADCANDY implant may be part of broader espionage and network reconnaissance campaigns.

ASD notes that multiple threat groups have reused the same codebase, implying that the implant may be circulating among different attackers. The agency also believes that both state and criminal groups are exploiting previously compromised devices to maintain long-term access across networks.

ASD and Cisco response

ASD continues to send direct notifications to affected organizations through their internet service providers, advising immediate patching and system hardening. Cisco has also issued updated hardening guidance for IOS XE to help administrators secure web interfaces, disable unused services, and prevent external access to the management plane.

Both Cisco and ASD stress that removing the BADCANDY implant is not enough. System operators must verify configurations, remove suspicious user accounts such as cisco_tac_admin or cisco_support, and inspect running interfaces for unauthorized tunnels. These checks are essential to confirm that no hidden backdoors remain.

Mitigation and hardening steps

ASD and Cisco recommend several steps for all organizations running Cisco IOS XE devices:

  • Immediately apply Cisco’s patch for CVE-2023-20198 to eliminate the root vulnerability.
  • Reboot the device after patching. The implant will be cleared from memory, but configuration checks must still be performed.
  • Disable the web UI feature (HTTP/HTTPS server) if not required. This significantly reduces the attack surface.
  • Review accounts with privilege level 15 and remove any that are unexpected or unauthorized.
  • Look for accounts with names such as cisco_tac_admin, cisco_support, cisco_sys_manager, or random character strings and remove them if they are not legitimate.
  • Check the configuration for unknown or suspicious tunnel interfaces that could indicate lateral movement.
  • Review TACACS+ command accounting logs for unexpected configuration changes, if logging is enabled.
  • Follow Cisco’s full IOS XE hardening and security recommendations to prevent re-exploitation.

Organizations are also advised to regularly scan systems for active web shells and monitor administrative logins. Comprehensive network monitoring can help detect unauthorized configuration changes or outbound traffic patterns associated with known command-and-control servers.

Indicators of compromise

Vulnerability exploited: CVE-2023-20198 (CVSS 10.0)
Malware: BADCANDY (Lua-based web shell)
Implant persistence: Non-persistent, removed after reboot
Observed usernames: cisco_tac_admin, cisco_support, cisco_sys_manager
Observed activity: Unapproved admin accounts, hidden tunnel interfaces, masked patch status
Affected software: Cisco IOS XE (physical and virtual appliances with web UI enabled)
Estimated infected devices (Australia): 400+
Reinfected devices (October 2025): 150+

Because BADCANDY is easy to re-deploy, network operators should consider running a trusted

Written by

Sean Doyle

Sean is a distinguished tech author and entrepreneur with over 20 years of extensive experience in cybersecurity, privacy, malware, Google Analytics, online marketing, and various other tech domains. His expertise and contributions to the industry have been recognized in numerous esteemed publications. Sean is widely acclaimed for his sharp intellect and innovative insights, solidifying his reputation as a leading figure in the tech community. His work not only advances the field but also helps businesses and individuals navigate the complexities of the digital world.

More Reading

Post navigation

Leave a Comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.