The Australian authorities is warning about ongoing cyberattacks towards unpatched Cisco IOS XE units within the nation to contaminate routers with the BadCandy webshell.
The vulnerability exploited in these assaults is CVE-2023-20198, a max-severity flaw that permits distant unauthenticated menace actors to create an area admin person through the online person interface and take over the units.
Cisco mounted the flaw in October 2023, which was then marked as an actively exploited difficulty. A public exploit grew to become accessible two weeks later, fueling mass exploitation for backdoor planting on internet-exposed units.
The Australian authorities have warned that variants of the identical Lua-based BadCandy net shells are nonetheless utilized in assaults all through 2024 and 2025, indicating that many Cisco units stay unpatched.
As soon as put in, BadCandy permits distant attackers to execute instructions with root privileges on compromised units.
The webshell is wiped from the units upon reboot. Nonetheless, given the dearth of a patch on these units and assuming the online interface stays accessible, the attackers can simply re-introduce it.
“Since July 2025, ASD assesses over 400 units have been probably compromised with BADCANDY in Australia,” reads the bulletin. “As at late October 2025, there are nonetheless over 150 units compromised with BADCANDY in Australia.”
Supply: ASD
Though the variety of infections is declining, the company has seen indicators of re-exploitation of the flaw towards the identical endpoints, although the breach entities have been appropriately alerted.
In response to the company, the attackers can detect when the BadCandy implant will get eliminated and goal the identical gadget to re-introduce it.
In response to the continued assaults, the Australian Indicators Directorate is sending notifications to victims that embody directions on patching, hardening units, and conducting incident response. For units whose homeowners can’t be decided, the ASD is asking web service suppliers to contact victims on their behalf.
The ASD mentions that the flaw has been beforehand leveraged by state actors such because the Chinese language’ Salt Hurricane,’ who’re thought of chargeable for a sequence of assaults towards giant telecommunication service suppliers throughout the U.S. and Canada.
The company believes that, although BadCandy can theoretically be utilized by anybody, the current spikes may be attributed to “state-sponsored cyber-actors.”
Directors of Cisco IOS XE methods worldwide, together with in Australia, ought to observe the seller’s mitigation suggestions within the security bulletin.
Cisco has additionally revealed an in depth hardening information for IOS XE units.
46% of environments had passwords cracked, almost doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete take a look at extra findings on prevention, detection, and information exfiltration tendencies.
