The Australian Signals Directorate (ASD) has issued a bulletin regarding ongoing cyber attacks targeting unpatched Cisco IOS XE devices in the country, using a previously unknown implant. badcandy,
According to the intelligence agency, the activity involves the exploitation of CVE-2023-20198 (CVSS score: 10.0), a critical vulnerability that allows a remote, unauthenticated attacker to create an account with elevated privileges and use it to gain control of susceptible systems.
The security flaw has been actively exploited since last 2023, with China-linked threat actors like Salt Typhoon weaponizing it in recent months to breach telecommunications providers.
The ASD noted that variations of BadCandy have been detected since October 2023, with a new set of attacks continuing to be recorded in 2024 and 2025. It is estimated that around 400 devices in Australia have been affected by the malware since July 2025, with 150 devices infected in October alone.
“BadCandy is a low-stake Lua-based web shell, and cyber actors have commonly applied a non-permanent patch post-compromise to hide the vulnerability status of the device with respect to CVE-2023-20198,” it said. “In these cases, the presence of the BADCANDY implant indicates a compromise of Cisco IOS XE devices through CVE-2023-20198.”
The lack of persistence mechanisms means that it cannot survive a system reboot. However, if the device remains unpatched and exposed to the Internet, it is possible for a threat actor to reintroduce the malware and gain access to it.
ASD has assessed that threat actors are able to detect when an implant has been removed and re-infect devices. This is based on the fact that re-exploitation has occurred on devices for which the agency had previously issued notifications to affected entities.
Having said that, a reboot will not undo other actions taken by the attackers. It is therefore essential that system operators apply patches, limit public exposure of the web user interface, and follow the necessary strict guidelines issued by Cisco to prevent future exploitation attempts.
Some other actions mentioned by the agency are listed below –
- Review the running configuration for accounts with privilege 15 and remove unexpected or disallowed accounts
- Review accounts containing random strings or “cisco_tac_admin,” “cisco_support,” “cisco_sys_manager,” or “cisco” and remove them if not legitimate
- Review running configuration for unknown tunnel interfaces
- Review TACACS+ AAA command accounting logging for configuration changes when enabled
