The Australian Signals Directorate (ASD) has identified a significant and ongoing cyber threat targeting unpatched Cisco IOS XE devices across Australia. A previously undocumented implant, dubbed BADCANDY, is being actively leveraged by attackers to compromise critical network infrastructure. This sophisticated exploitation underscores the persistent dangers posed by unmitigated vulnerabilities in widely used network hardware.
The attacks are exploiting CVE-2023-20198, a critical vulnerability with a CVSS score of 10.0. This flaw allows remote, unauthenticated attackers to gain elevated privileges and full control over affected systems. The ASD bulletin highlights that these exploits have been observed in the wild since late 2023, with China-linked threat actors, including those associated with the Salt Typhoon group, utilizing this vulnerability to breach telecommunications providers.
BADCANDY: An Evolving Threat to Cisco IOS XE
Variations of the BADCANDY implant have been present since October 2023, with a surge in new attacks recorded throughout 2024 and into 2025. Recent data from the ASD indicates that approximately 400 Cisco IOS XE devices in Australia have been compromised by this malware as of July 2025, with a notable spike of 150 infections occurring in October alone. The continued prevalence of these attacks suggests a lack of timely patching among affected organizations.
BADCANDY is described by the ASD as a low-privilege, Lua-based web shell. Threat actors are reportedly applying non-persistent patches post-compromise to obscure their presence and the device’s vulnerability status concerning CVE-2023-20198. However, the presence of the BADCANDY implant itself serves as a clear indicator of a successful compromise via this critical vulnerability.
A key characteristic of BADCANDY is its lack of persistence mechanisms. This means the implant cannot survive a system reboot on its own. However, if the compromised device remains unpatched and accessible from the internet, attackers can easily re-introduce the malware to regain access. The ASD has observed a disturbing trend where re-exploitation occurs on devices that have previously been remediated, suggesting that threat actors actively monitor for attempts to remove their presence.
Mitigation and Recommendations for Affected Organizations
To combat the ongoing BADCANDY threat and prevent future exploitation attempts on Cisco IOS XE devices, the ASD strongly advises system operators to implement several crucial security measures. Simply rebooting a compromised device will not undo all malicious actions already taken by attackers. Therefore, a comprehensive approach is necessary to secure these network devices.
The primary recommendation is to immediately apply the relevant security patches provided by Cisco for CVE-2023-20198. Additionally, limiting the public exposure of the Cisco IOS XE web user interface is critical. This reduces the attack surface available to threat actors. Following Cisco’s hardening guidelines for their devices is also essential for building a more resilient security posture. These guidelines often include recommendations for user account management and network access controls.
Beyond patching and access control, the ASD has issued specific security checks for system administrators to perform. These include:
- Thoroughly reviewing the running configuration for any accounts with privilege level 15, and promptly removing any unexpected or unauthorized accounts.
- Scrutinizing accounts for unusual or suspicious naming conventions, such as random strings or filenames like “cisco_tac_admin,” “cisco_support,” “cisco_sys_manager,” or “cisco.” Legitimate accounts configured with these names should remain, but any unauthorized usage must be removed.
- Examining the running configuration for the presence of any unknown tunnel interfaces, which could indicate unauthorized access or lateral movement.
- If TACACS+ AAA command accounting logging is enabled, reviewing it meticulously for records of configuration changes, which could reveal unauthorized modifications.
The ongoing exploitation of CVE-2023-20198 and the persistent use of the BADCANDY implant highlight the critical need for organizations to maintain robust patch management programs and continuously monitor their network infrastructure for signs of compromise. The ASD’s continued vigilance and timely advisories are crucial in helping Australian organizations defend against these evolving cyber threats. Further updates on the prevalence and nature of these attacks are anticipated as the situation develops.