ASD Alerts to BADCANDY Malware Exploiting Cisco IOS XE Vulnerability
The Australian Signals Directorate (ASD) has issued a critical alert regarding ongoing cyber attacks targeting unpatched Cisco IOS XE devices across the nation. These attacks involve a previously undocumented implant known as BADCANDY, which exploits the CVE-2023-20198 vulnerability—a flaw with a CVSS score of 10.0. This vulnerability allows remote, unauthenticated attackers to create accounts with elevated privileges, enabling them to seize control of affected systems.
Since late 2023, this security defect has been actively exploited in the wild. Notably, threat actors linked to China, such as the group known as Salt Typhoon, have weaponized this vulnerability in recent months to breach telecommunications providers.
ASD reports that variations of the BADCANDY implant have been detected since October 2023, with a surge in attacks recorded throughout 2024 and 2025. Approximately 400 devices in Australia have been compromised with this malware since July 2025, with 150 infections occurring in October alone.
BADCANDY is characterized as a low-equity, Lua-based web shell. Post-compromise, cyber actors typically apply a non-persistent patch to mask the device’s vulnerability status concerning CVE-2023-20198. The absence of a persistence mechanism means the implant cannot survive system reboots. However, if the device remains unpatched and exposed to the internet, attackers can reintroduce the malware and regain access.
ASD has observed that threat actors can detect when the implant is removed and are capable of reinfecting devices. This assessment is based on instances where re-exploitation occurred on devices for which the agency had previously issued notifications to affected entities.
It’s crucial to note that a system reboot will not undo other actions undertaken by the attackers. Therefore, system operators are urged to apply the necessary patches, limit public exposure of the web user interface, and adhere to hardening guidelines issued by Cisco to prevent future exploitation attempts.
Additional recommended actions include:
– Reviewing the running configuration for accounts with privilege 15 and removing any unexpected or unapproved accounts.
– Identifying and removing accounts with random strings or names like cisco_tac_admin, cisco_support, cisco_sys_manager, or cisco if they are not legitimate.
– Examining the running configuration for unknown tunnel interfaces.
– Reviewing TACACS+ AAA command accounting logs for any unauthorized configuration changes, if logging is enabled.
By implementing these measures, organizations can bolster their defenses against the BADCANDY implant and mitigate the risks associated with the CVE-2023-20198 vulnerability.
