- The Australian Signals Directorate (ASD) reports ongoing attacks on unpatched Cisco IOS XE devices using the BADCANDY implant.
- BADCANDY exploits a critical vulnerability (CVE-2023-20198) that allows remote attackers to create privileged accounts and control devices.
- An estimated 400 Cisco devices in Australia have been compromised since July 2025, with 150 infections reported in October alone.
- BADCANDY is a non-persistent Lua-based web shell that can be reintroduced if devices remain unpatched and internet-exposed.
- ASD urges applying patches, limiting exposure, removing unauthorized accounts, and following Cisco hardening guidelines to prevent further breaches.
The Australian Signals Directorate (ASD) has issued a bulletin warning about sustained cyberattacks targeting unpatched Cisco IOS XE devices across Australia. The attacks exploit a critical, previously undisclosed implant called BADCANDY. This implant leverages the vulnerability identified as CVE-2023-20198, which enables a remote, unauthenticated attacker to create accounts with elevated privileges and seize control of affected systems.
The vulnerability carries a maximum severity score of 10.0 and has been actively exploited in the wild since 2023. Threat actors linked to China, including a group known as Salt Typhoon, have used this exploit against telecommunications providers. Since October 2023, multiple variants of the BADCANDY implant have been detected, with the attacks ongoing into 2024 and 2025. ASD estimates that up to 400 devices were compromised in Australia from July 2025, with 150 infections recorded in October alone.
According to ASD, “BADCANDY is a low equity Lua-based web shell, and cyber actors have typically applied a non-persistent patch post-compromise to mask the device’s vulnerability status in relation to CVE-2023-20198.” This means the implant does not survive a system reboot, but attackers can reinstall it if the device remains vulnerable and connected to the internet. The agency observed attackers detecting and reinfecting devices after implant removal, even when previous notifications had been issued.
ASD emphasizes that rebooting infected devices only removes the implant temporarily and does not reverse other attacker actions. To prevent further exploitation, the agency advises system administrators to promptly apply patches, restrict public access to web interfaces, and follow the hardening guidelines issued by Cisco. Additional recommended actions include reviewing and removing unauthorized accounts with administrative privileges, inspecting unknown tunnel interfaces, and monitoring command logging if enabled.
These measures are critical to address the ongoing threats posed by this sophisticated implant and the exploitation of critical flaws in widely used network devices.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Shiba Inu 2026 Sparks Debate: Is It Worth Joining or Avoiding?
- Fed Signals Major Bitcoin Shift as Price Struggles Above Highs
- Elon Musk to Launch Standalone Encrypted X Chat Messaging App
- BRICS Launches Gold-Based Payment System to Conduct Trade Without Dollars
- US Treasury Praises Bitcoin’s Resilience, Critiques Senate Shutdown
