Ongoing “BADCANDY” Attacks Exploit Cisco IOS XE Vulnerability: ASD Issues Urgent Warning

November 2, 2025 Faeem BLOGS 0

The Australian Signals Directorate (ASD) has issued a high-priority cybersecurity advisory warning of active BADCANDY malware infections targeting unpatched Cisco IOS XE devices across Australia. The campaign leverages the long-known and critical CVE-2023-20198 vulnerability — a CVSS 10.0-rated flaw — that allows unauthenticated remote attackers to gain full administrative control of affected systems.

A Quick Recap: What’s Happening

Since late 2023, this vulnerability has been actively exploited in the wild, most notably by China-linked threat groups such as Salt Typhoon, who have targeted telecom providers and critical network infrastructure.

The ASD’s latest bulletin confirms that the campaign is far from over. As of October 2025, approximately 400 Cisco IOS XE devices in Australia have been compromised, with 150 infections occurring just in October — a sharp resurgence of activity suggesting renewed targeting or automation by the attackers.

Inside the BADCANDY Implant

BADCANDY is described as a Lua-based web shell — lightweight, modular, and particularly effective for stealthy post-compromise control. While it lacks persistence (it’s wiped after a reboot), attackers are reintroducing it by repeatedly exploiting unpatched devices.

Here’s what makes this threat tricky:

  • After initial compromise, attackers often apply a fake patch to make it appear as though the vulnerability has been fixed.
  • This non-persistent patch hides the device’s vulnerable status, deceiving both admins and scanning tools.
  • Even when the implant is removed, re-exploitation occurs if the system remains unpatched and exposed to the internet.

In short, if you’re not patched, you’re still a target — and attackers can easily re-enter your environment.

Why This Matters — and Not Just for Network Teams

Cisco IOS XE devices sit at the core of enterprise and service provider networks. When compromised, they can be used to:

  • Intercept and reroute traffic
  • Deploy secondary payloads or network implants
  • Manipulate configurations to open backdoors
  • Exfiltrate credentials or confidential routing data

For CIOs, CISOs, and network managers, this means the compromise goes beyond a single device — it impacts trust, visibility, and operational integrity across the network stack.

ASD’s Recommended Actions (Summarized for Practitioners)

ASD’s bulletin emphasizes urgent action. Here’s what every affected organization should do immediately:

1. Patch and harden:

  • Apply Cisco’s latest patches addressing CVE-2023-20198.
  • Disable or restrict web UI access from the public internet.
  • Implement Cisco’s hardening guidelines and configuration best practices.

2. Audit configurations:

  • Review all privilege 15 accounts — remove unknown or unapproved users.
  • Watch for suspicious usernames such as:
    • cisco_tac_admin
    • cisco_support
    • cisco_sys_manager
    • or any random string accounts.
  • Inspect configurations for unknown tunnel interfaces or unexpected changes.

3. Check logs and authentication records:

  • Review TACACS+ AAA command accounting logs for unauthorized configuration edits.
  • Pay attention to any changes made outside approved maintenance windows.

4. Don’t rely on a reboot:
While rebooting removes the web shell, it does not undo other malicious modifications. Patch first — then reboot — and verify integrity post-restart.

The Broader Lesson: Old Vulnerabilities, New Persistence

The BADCANDY campaign highlights a recurring theme in cybersecurity: attackers don’t need new zero-days when organizations leave old doors open.

Even with awareness dating back nearly two years, CVE-2023-20198 remains unpatched in thousands of devices worldwide. As long as vulnerable systems remain exposed, nation-state actors will keep exploiting them to gain footholds in high-value networks.

For leadership teams, this is not just a technical issue — it’s a resilience issue. It speaks to patch governance, vendor trust, and operational maturity.

Final Thought

BADCANDY is a reminder that cyber hygiene is only as strong as your oldest unpatched device. Network infrastructure — often overlooked in security roadmaps — can quietly become the soft underbelly of even the most modern enterprise.

If you’re running Cisco IOS XE, now is the time to verify, patch, and audit. The cost of complacency is no longer theoretical.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.