The Australian Signals Directorate (ASD) has issued a bulletin regarding ongoing cyberattacks targeting unpatched Cisco IOS XE devices in Australia, utilizing a previously undocumented implant identified as BADCANDY. These attacks exploit CVE-2023-20198, a critical vulnerability that allows remote, unauthenticated attackers to gain elevated privileges.
The security flaw, with a CVSS score of 10.0, has been under active exploitation globally since late 2023. This exploitation enables threat actors to establish control over vulnerable systems. The ASD’s recent alert details the deployment of BADCANDY, a Lua-based web shell, in an escalating campaign affecting hundreds of Australian devices throughout 2024 and 2025. This activity underscores the persistent threat to network infrastructure if critical patches are not applied.
CVE-2023-20198, a critical security defect, enables a remote, unauthenticated attacker to create an account with privilege level 15, thereby seizing full control of susceptible systems as reported by the ASD. This vulnerability has been widely exploited in the wild, with various threat actors, including China-linked groups such as Salt Typhoon, having leveraged it in past campaigns to compromise telecommunications providers. The broad impact potential of this flaw necessitates immediate attention from network operators.
The ASD has been tracking variations of the BADCANDY implant since October 2023, noting a fresh wave of attacks continuing into 2024 and 2025. Approximately 400 devices in Australia are estimated to have been compromised with this malware since July 2025, with a significant portion—150 devices—infected in October alone, according to the agency’s bulletin. This indicates a sustained and targeted effort by attackers against Australian infrastructure.
BADCANDY is described as a “low equity Lua-based web shell,” the ASD states. It is designed to provide persistent access. Cyber actors deploying BADCANDY have also typically applied a non-persistent patch post-compromise. This tactic is used to mask the device’s vulnerability status concerning CVE-2023-20198. While the implant itself does not survive system reboots due to its lack of a persistence mechanism, the ASD has observed threat actors re-infecting devices after BADCANDY has been removed. This capability suggests attackers are able to detect when their implant is no longer present, allowing them to regain access to unpatched and internet-exposed systems. To learn more about other critical vulnerabilities being exploited, read our article on CISA Confirms Linux Kernel Flaw Exploited in Ransomware Attacks.
System operators are advised that a device reboot, while removing the BADCANDY implant, will not undo other malicious actions undertaken by attackers during the compromise. Therefore, applying the necessary patches for CVE-2023-20198 is essential to prevent future exploitation. The ASD further emphasizes the importance of limiting public exposure of the web user interface and adhering to Cisco’s comprehensive hardening guidelines to fortify defenses against similar exploitation attempts.
Additional mitigation steps recommended by the ASD include a thorough review of running configurations for unexpected or unapproved accounts with privilege level 15. Specifically, accounts with random strings or generic names such as “cisco_tac_admin,” “cisco_support,” “cisco_sys_manager,” or “cisco” should be removed if their legitimacy cannot be confirmed. Furthermore, operators are advised to inspect configurations for any unknown tunnel interfaces and, if enabled, review TACACS+ AAA command accounting logging for unauthorized configuration changes. These measures aim to identify and eliminate backdoors or persistent access mechanisms established by attackers.
Organizations managing Cisco IOS XE devices are urged to implement these protective measures immediately to counter the ongoing BADCANDY threat and secure their network infrastructure against critical vulnerabilities. Over 400 Australian devices have already been compromised, with attackers demonstrating the ability to re-infect systems if patches are not permanently applied. Immediate action is critical to prevent further exploitation and maintain network integrity.