The Australian Signals Directorate (ASD) has issued a bulletin about ongoing cyber attacks targeting unpatched Cisco IOS XE devices in the country with a previously undocumented implant known as BADCANDY.
The activity, per the intelligence agency, involves the exploitation of CVE-2023-20198 (CVSS score: 10.0), a critical vulnerability that allows a remote, unauthenticated attacker to create an account with elevated privileges and use it to seize control of susceptible systems.
The security defect has come under active exploitation in the wild since last 2023, with China-linked threat actors like Salt Typhoon weaponizing it in recent months to breach telecommunications providers.
ASD noted that variations of BADCANDY have been detected since October 2023, with a fresh set of attacks continuing to be recorded in 2024 and 2025. As many as 400 devices in Australia are estimated to have been compromised with the malware since July 2025, out of which 150 devices were infected in October alone.
“BADCANDY is a low equity Lua-based web shell, and cyber actors have typically applied a non-persistent patch post-compromise to mask the device’s vulnerability status in relation to CVE-2023-20198,” it said. “In these instances, the presence of the BADCANDY implant indicates compromise of the Cisco IOS XE device, via CVE-2023-20198.”
The lack of a persistence mechanism means it cannot survive across system reboots. However, if the device remains unpatched and exposed to the internet, it’s possible for the threat actor to re-introduce the malware and regain access to it.
ASD has assessed that the threat actors are able to detect when the implant is removed and are infecting the devices again. This is based on the fact that re-exploitation has occurred on devices for which the agency has previously issued notifications to affected entities.
That having said, a reboot will not undo other actions undertaken by the attackers. It’s therefore essential that system operators apply the patches, limit public exposure of the web user interface, and follow necessary hardening guidelines issued by Cisco to prevent future exploitation attempts.
Some of the other actions outlined by the agency are listed below –
- Review the running configuration for accounts with privilege 15 and remove unexpected or unapproved accounts
- Review accounts with random strings or “cisco_tac_admin,” “cisco_support,” “cisco_sys_manager,” or “cisco” and remove them if not legitimate
- Review the running configuration for unknown tunnel interfaces
- Review TACACS+ AAA command accounting logging for configuration changes, if enabled
