Australia Alert: BadCandy Threat Targets Unpatched Cisco Devices

In recent weeks, the Australian government has issued a critical warning regarding cyberattacks targeting unpatched Cisco IOS XE devices. These attacks aim to exploit a vulnerability designated as CVE-2023-20198, which has been associated with the BadCandy webshell.

Overview of the CVE-2023-20198 Vulnerability

CVE-2023-20198 is a high-severity flaw that allows remote, unauthenticated attackers to create local admin users via the web interface. This capability grants full control over the affected devices. Cisco addressed this vulnerability in October 2023, classifying it as an actively exploited threat.

Just two weeks following the fix, a public exploit became available, significantly increasing the potential for widespread exploitation. The BadCandy webshell can take root on internet-exposed devices, leading to severe security issues.

Current Cybersecurity Landscape in Australia

Recent data reveals ongoing incidents involving the BadCandy webshell across Australian networks. As of July 2025, over 400 devices were reportedly compromised. However, by late October 2025, more than 150 devices were still affected by BadCandy infections.

• The number of infections is, however, seeing a downward trend.
• Authorities noted attempts to re-exploit previously infected devices.
• Attackers can detect when the BadCandy implant is removed and can reintroduce it before a new patch can be applied.

Government Response and Recommendations

To combat these ongoing threats, the Australian Signals Directorate (ASD) is proactively notifying affected entities. These notifications include:

• Instructions for applying necessary patches.
• Guidelines for hardening devices against future attacks.
• Recommendations for incident response strategies.

For devices without identifiable owners, the ASD is coordinating with internet service providers to reach out to the affected parties.

Threat Landscape and State-Sponsored Actors

The ASD has highlighted concerns that state-sponsored cyber actors, notably the Chinese group ‘Salt Typhoon,’ have previously exploited this vulnerability. This group has been linked to significant attacks on major telecommunications providers in the U.S. and Canada.

While BadCandy can be utilized by various threat actors, recent trends suggest that state-sponsored groups are playing a larger role in current exploitations.

Mitigation Strategies for Cisco Device Administrators

Cisco IOS XE system administrators across the globe are advised to strictly follow mitigation recommendations provided in the company’s security bulletins. Cisco has also released comprehensive hardening guides tailored for IOS XE devices.

Ensuring robust cybersecurity measures is crucial to preventing further exploitation of vulnerabilities like CVE-2023-20198. Organizations must prioritize patching and proactive responses to emerging threats.