442/68 Tuesday, November 4, 2025
The Australian Signals Directorate (ASD) has issued a warning about ongoing cyberattacks exploiting the vulnerability CVE-2023-20198 in Cisco IOS XE devices. Attackers are using the flaw to implant a malicious webshell known as BadCandy, which gives them administrator-level control over the device. The vulnerability carries the highest severity rating, CVSS 10.0, and affects both physical and virtual devices with Web User Interface (Web UI) enabled over HTTP or HTTPS.
BadCandy was first detected in October 2023, and attacks have continued throughout 2024–2025. Since July 2025, ASD has identified more than 400 devices potentially infected with the webshell, and as of October 2025, over 150 devices in Australia were still compromised and accessible. The BadCandy webshell is implemented in Lua and does not persist after a reboot, but attackers may still retain access through stolen credentials.
ASD further warns that attackers can detect when the webshell is removed and will reinfect devices immediately if they remain unpatched. Administrators are strongly advised to apply patches without delay, disable the HTTP Server feature, and follow the Cisco IOS XE Hardening Guide to reduce the risk of reinfection. ASD has notified affected organizations and provided incident response guidance and preventative measures.
Source https://securityaffairs.com/184095/hacking/badcandy-webshell-threatens-unpatched-cisco-ios-xe-devices-warns-australian-government.html
