The Australian government is warning about ongoing cyberattacks against unpatched Cisco IOS XE devices in the country to infect routers with the BadCandy webshell.
The vulnerability exploited in these attacks is CVE-2023-20198, a max-severity flaw that allows remote unauthenticated threat actors to create a local admin user via the web user interface and take over the devices.
Cisco fixed the flaw in October 2023, which was then marked as an actively exploited issue. A public exploit became available two weeks later, fueling mass exploitation for backdoor planting on internet-exposed devices.
The Australian authorities have warned that variants of the same Lua-based BadCandy web shells are still used in attacks throughout 2024 and 2025, indicating that many Cisco devices remain unpatched.
Once installed, BadCandy allows remote attackers to execute commands with root privileges on compromised devices.
The webshell is wiped from the devices upon reboot. However, given the lack of a patch on those devices and assuming the web interface remains accessible, the attackers can easily re-introduce it.
"Since July 2025, ASD assesses over 400 devices were potentially compromised with BADCANDY in Australia," reads the bulletin. "As at late October 2025, there are still over 150 devices compromised with BADCANDY in Australia."
BadCandy infections in Australia
Source: ASD
Although the number of infections is declining, the agency has seen signs of re-exploitation of the flaw against the same endpoints, even though the breach entities were appropriately alerted.
... continue reading