The Australian government has issued a warning regarding persistent cyberattacks targeting unpatched Cisco IOS XE devices in the nation, with attackers aiming to compromise routers using the BadCandy webshell. The vulnerability at the center of these attacks is CVE-2023-20198, a high-severity flaw that enables remote, unauthenticated threat actors to create local admin users through the web interface, effectively taking control of the devices.
This critical flaw was addressed by Cisco in October 2023, designating it as an actively exploited issue. Shortly afterward, a public exploit was released, accelerating the widespread targeted attacks aimed at planting backdoors in internet-exposed devices.
Recent reports from the Australian Signals Directorate (ASD) indicate that various Lua-based BadCandy webshell variants continue to be utilized in attacks throughout 2024 and 2025, highlighting that many Cisco devices remain unpatched. Once installed, BadCandy grants remote attackers the power to run commands with root privileges on compromised network devices. Although the webshell is typically erased upon device reboot, its reintroduction is trivial if the web interface remains accessible and the devices are not patched.
The ASD’s findings reveal that since July 2025, over 400 devices in Australia have been potentially compromised by the BadCandy malware, with more than 150 of these still affected as of late October 2025. Although the overall number of infections is on the decline, the agency has noted attempts at re-exploiting the same vulnerabilities, even after alerts have been dispatched to the breach-affected entities. Alarmingly, attackers have the ability to detect when the BadCandy implant is removed and can subsequently target those devices to reinstall it.
In light of these ongoing threats, the ASD is proactively notifying victims to provide guidance on how to patch and secure their devices, as well as how to conduct incident response. For devices whose ownership remains unclear, the agency is collaborating with internet service providers to reach out to affected users.
Past evidence indicates that the vulnerability has been exploited by state-sponsored actors, notably the Chinese cyber group known as ‘Salt Typhoon,’ which has been linked to a series of attacks against major telecommunications providers in the U.S. and Canada. The ASD suggests that, while BadCandy could theoretically be misused by anyone, the recent surge in exploitation cases appears to point towards state-sponsored cyber-activities.
All administrators of Cisco IOS XE systems, particularly those in Australia, are urged to heed the vendor’s security recommendations and to refer to the detailed hardening guide that Cisco has made available. By doing so, they can better protect their networks from the risks associated with this ongoing threat.