BadCandy Webshell Threatens Unpatched Cisco IOS XE Devices, Australian Government Warns
November 1, 2025
Australia warns of attacks on unpatched Cisco IOS XE devices exploiting CVE-2023-20198, allowing installation of BadCandy webshell.
The Australian Signals Directorate (ASD) is warning of ongoing attacks on unpatched Cisco IOS XE devices exploiting CVE-2023-20198, enabling BadCandy WebShell infections and administrator takeover.
“Cyber actors are installing an implant called ‘BADCANDY’ on Cisco IOS read it alert issued by the ASD.
An attacker can exploit the vulnerability CVE-2023-20198 (CVSS score 10) in its IOS XE software to gain administrator privileges and take care of vulnerable routers. THE advisory published by the vendor indicates that exploitation of the vulnerability allows an unauthenticated, remote attacker to create an account on an affected system with privilege level 15 access.
The flaw affects physical and virtual devices running with the Web User Interface (Web UI) feature enabled and on which the HTTP or HTTPS Server feature is used.
Since July 2025, the Australian agency has observed more than 400 devices potentially compromised by BADCANDY in the country. As of late October 2025, more than 150 devices compromised by BADCANDY in Australia were still exposed online.
BADCANDY is a Lua-based webshell exploiting CVE-2023-20198 on Cisco IOS XE devices. It is not persistent after reboot, but attackers can maintain access via stolen credentials. Patching and restricting access to the web UI are necessary to prevent re-exploitation.
“ASD believes that actors are capable of detecting BADCANDY implant removal and re-exploiting the devices. This further highlights the need to apply patches against CVE-2023-20198 to prevent re-exploitation.” continues the alert.
ASD notifies affected entities, provides advice on patching, rebooting, hardening and incident response. The agency will continue its alerts to ensure operators know their devices have been compromised.
Government experts recommend that operators remove BADCANDY by examining and removing unauthorized privileged accounts, checking for unknown tunnel interfaces, and monitoring configuration changes via TACACS+ logging.
Organizations should follow Cisco Tips: Disable the HTTP server feature and apply the IOS XE hardening guide to prevent future BADCANDY compromises.
Follow me on Twitter: @businessofsecurity And Facebook And Mastodon
(Security Affairs – hack, Cisco IOS XE)
