Cybersecurity authorities are sounding the alarm as malicious actors continue to exploit a critical vulnerability in Cisco IOS XE devices, deploying a malicious implant known as BADCANDY on networks around the world.
The Australian Signals Directorate (ASD) confirmed that more than 150 devices remained compromised in Australia alone as of the end of October 2025, despite ongoing remediation efforts that began when the vulnerability was first weaponized in October 2023.
The BADCANDY implant represents a sophisticated but accessible threat to organizations that rely on Cisco IOS XE software with web UI capabilities.
This Lua-based web shell exploits CVE-2023-20198, a critical vulnerability that allows unauthenticated, remote attackers to create highly privileged accounts on vulnerable systems and establish complete control over affected devices.
What makes this campaign particularly concerning is the threat actors’ systematic approach to obfuscation: After an initial compromise, attackers typically apply a non-persistent patch that hides the device’s vulnerable state, making detection much more difficult for network defenders.
Since July 2025, ASD assessments indicate that more than 400 Australian devices have been potentially compromised by BADCANDY, demonstrating the scale and persistence of this exploitation campaign.
Security researchers have documented variations of the BADCANDY implant have emerged continuously throughout 2024 and 2025, indicating supported development and deployment by multiple threat actor groups.
Cisco IOS XE vulnerability
Although BADCANDY is classified as a low-capital implant that does not survive device reboots, its non-persistent nature provides little reassurance to security teams.
The vulnerability has attracted the attention of both criminal syndicates and state-sponsored threat actors, including the notorious SALT TYPHOON group, and has been recognized among the top vulnerabilities regularly exploited in 2023.
Once malicious actors gain initial access through exploitation of CVE-2023-20198, they frequently harvest account credentials or establish alternative persistence mechanisms that survive even after removal of the BADCANDY implant.
This creates scenarios where attackers maintain access to compromised networks long after the initial infection vector has been eliminated, enabling lateral movement, data exfiltration, and long-term espionage operations.
ASD observed a worrying pattern of re-exploitation targeting previously compromised devices where organizations failed to apply necessary patches or left the web interface exposed to Internet traffic.
Cybersecurity analysts believe that malicious actors have developed detection capabilities that alert them when BADCANDY implants are removed, triggering immediate reexploitation attempts.
This creates a dangerous cycle where organizations that simply reboot devices without addressing the underlying vulnerability find themselves repeatedly compromised.
Network Edge Devices
Australian cybersecurity authorities are conducting comprehensive victim notification campaigns through service providers, urging organizations to implement immediate protective measures.
Critical actions include examining running configurations for privilege 15 accounts with suspicious names such as “cisco_tac_admin”, “cisco_support”, “cisco_sys_manager” or random strings, and removing any discovered unauthorized accounts.
Organizations should also review configurations for unknown tunnel interfaces and review TACACS+ AAA command accounting logs for evidence of unauthorized configuration changes.
The most essential protective measure remains the application of Cisco’s official patch for CVE-2023-20198, available via the company’s security advisory for several vulnerabilities in the web user interface functionality of Cisco IOS XE software.
Although restarting compromised devices removes the BADCANDY implant, this action alone does not provide sufficient protection without patching and appropriate hardening.
Organizations should disable HTTP server functionality if not operationally necessary and implement comprehensive edge device security policies in accordance with the Cisco IOS XE Hardening Guide.
The steady decline from more than 400 compromised devices at the end of 2023 to less than 200 in 2025 demonstrates progress, but persistent fluctuations in compromised data indicate ongoing re-exploitation activity.
As edge devices represent critical network components ensuring perimeter security, organizations must prioritize immediate remedial action to eliminate this persistent threat vector that continues to endanger Australian networks and global infrastructure.
Follow us on Google News, LinkedInAnd X to get instant updates and set GBH as preferred source in Google.
