The Australian government warns of ongoing cyberattacks exploiting unpatched Cisco IOS XE devices with the BadCandy webshell, due to the CVE-2023-20198 vulnerability. Despite Ciscoβs October 2023 fix, threat actors, possibly state-sponsored, continue re-infecting devices with the Lua-based webshell, leading to persistent security risks. #BadCandy #CVE202320198 #ASD
Keypoints
- The CVE-2023-20198 flaw allows remote, unauthenticated attackers to create admin users on Cisco IOS XE devices.
- The BadCandy webshell enables attackers to execute commands with root privileges and can be reinstalled after reboots.
- Over 150 devices in Australia remain compromised with BadCandy as of late 2025, despite efforts to mitigate the threat.
- The attacks are believed to be conducted by state-sponsored groups, including Chinaβs Salt Typhoon.
- Cisco has issued a hardening guide, and Australian authorities advise patching and device hardening to prevent further exploitation.