ASD Warns of BADCANDY Cyber Attacks Exploiting Cisco IOS XE Vulnerability

The Australian Signals Directorate (ASD) has issued a security alert warning about ongoing cyberattacks targeting unpatched Cisco IOS XE devices in Australia. The attacks are linked to a previously undocumented implant called BADCANDY, which exploits a critical flaw in Cisco’s network software.

Critical CVE-2023-20198 Exploit Used in Attacks

The attacks leverage CVE-2023-20198 (CVSS score: 10.0) — a severe vulnerability that allows remote, unauthenticated attackers to create accounts with administrative privileges, giving them full control over affected systems.

The flaw has been actively exploited since late 2023, with China-linked threat actors, including the group Salt Typhoon, using it to compromise telecommunications networks.

According to ASD, BADCANDY variants have been detected since October 2023, with new attack waves continuing through 2024 and 2025. As of July 2025, around 400 Cisco devices in Australia have been compromised, including 150 infections in October alone.

How the BADCANDY Malware Operates

BADCANDY is described as a lightweight Lua-based web shell used by attackers to maintain access to vulnerable systems.

After exploiting the flaw, attackers apply a non-persistent patch that hides the device’s vulnerability status, making it appear secure even though it remains compromised.

While BADCANDY does not persist after a reboot, unpatched and internet-exposed devices are vulnerable to reinfection, as attackers can easily reintroduce the malware.

ASD noted that threat actors are monitoring when implants are removed and reinfecting the same systems, based on previous notifications to affected organizations.

Mitigation and Security Recommendations

The ASD has urged organizations to patch affected systems immediately, limit public exposure of Cisco web interfaces, and implement Cisco’s latest hardening guidelines.

Other essential actions include:

• Review privileged accounts (level 15) and remove any unauthorized entries.

• Check for suspicious usernames such as cisco_tac_admin, cisco_support, cisco_sys_manager, or random strings.

• Inspect running configurations for unknown tunnel interfaces.

• Review TACACS+ AAA command accounting logs for unusual configuration changes.

A system reboot will not undo attacker modifications already made. Therefore, comprehensive remediation and patching are crucial to prevent further exploitation.

Stay Informed

The ASD’s latest advisory highlights the critical importance of patch management and continuous monitoring for network devices.

For more updates on cybersecurity developments, follow us on Google News, Twitter, and LinkedIn.