BADCANDY Malware Re-infects Unpatched Cisco Devices

In-Depth Analysis

The Australian Signals Directorate (ASD) has issued a warning about ongoing cyberattacks targeting unpatched Cisco IOS XE devices with the BADCANDY malware. This malware exploits CVE-2023-20198, a critical vulnerability that allows remote, unauthenticated attackers to create an account with elevated privileges and take control of susceptible systems.

**Background:** CVE-2023-20198 has been actively exploited since late 2023. The Salt Typhoon group, linked to China, has been known to weaponize this vulnerability to breach telecommunications providers. BADCANDY is a low-equity Lua-based web shell that cyber actors use to compromise Cisco IOS XE devices.

**Technical Details:** BADCANDY lacks a persistence mechanism, meaning it is removed upon reboot. However, attackers can easily re-introduce the malware if the device remains unpatched and the web interface is accessible.

**Impact:** As of late October 2025, over 150 devices in Australia were compromised with BADCANDY. The ASD has observed instances of re-exploitation, where attackers detect and re-infect devices after the implant is removed.

**Mitigation:** - Apply the latest patches for CVE-2023-20198. - Limit public exposure of the web user interface. - Follow hardening guidelines issued by Cisco. - Review running configurations for unexpected or unapproved accounts with privilege 15. - Review accounts with random strings or specific usernames like "cisco_tac_admin" and remove them if not legitimate. - Monitor for unknown tunnel interfaces and TACACS+ AAA command accounting logging for configuration changes.

Read source article

FAQ

What is BADCANDY?

BADCANDY is a Lua-based web shell used by attackers to compromise Cisco IOS XE devices.

What vulnerability does BADCANDY exploit?

BADCANDY exploits CVE-2023-20198, a critical vulnerability in Cisco IOS XE that allows remote, unauthenticated attackers to gain control of susceptible systems.

How can I protect my Cisco devices from BADCANDY?

Apply the latest patches for CVE-2023-20198, limit public exposure of the web user interface, and follow hardening guidelines issued by Cisco.

Takeaways

Unpatched Cisco IOS XE devices are at risk of BADCANDY infection.
Attackers can detect and re-exploit devices even after the malware is removed.
Patching CVE-2023-20198 and following Cisco's hardening guidelines are crucial for preventing BADCANDY attacks.
Regularly review your system configurations for unauthorized accounts and tunnel interfaces.

Discussion

Do you think organizations are taking the necessary steps to protect their Cisco devices from BADCANDY? Share your thoughts in the comments below!

Share this article with others who need to stay ahead of this trend!

Sources

Malware implant authors can see you delete their evil code ASD Warns of Ongoing BADCANDY Attacks Exploiting Cisco IOS XE Vulnerability Australia warns of BadCandy infections on unpatched Cisco devices

Disclaimer

This article was compiled by Yanuki using publicly available data and trending information. The content may summarize or reference third-party sources that have not been independently verified. While we aim to provide timely and accurate insights, the information presented may be incomplete or outdated.

All content is provided for general informational purposes only and does not constitute financial, legal, or professional advice. Yanuki makes no representations or warranties regarding the reliability or completeness of the information.

This article may include links to external sources for further context. These links are provided for convenience only and do not imply endorsement.

Always do your own research (DYOR) before making any decisions based on the information presented.