The Australian Signals Directorate (ASD) has issued a bulletin warning of ongoing cyber attacks that target unpatched Cisco IOS XE devices using an implant identified as BADCANDY.
ASD said the activity involves exploitation of CVE-2023-20198, a critical vulnerability that allows a remote, unauthenticated attacker to create an account with elevated privileges and seize control of affected systems. The vulnerability has been exploited in the wild since 2023, and threat actors have used it to breach telecommunications providers.
According to ASD, variations of the BADCANDY implant have been observed since October 2023 and attacks have continued through 2024 and 2025. The agency estimates as many as 400 devices in Australia were compromised with the malware since July 2025, including about 150 infections in October 2025. BADCANDY is described as a Lua-based web shell that operators have typically applied with a non-persistent modification after compromise to hide the device’s vulnerable status.
ASD noted the implant lacks persistence across reboots, but warned that if devices remain unpatched and exposed online, attackers can reintroduce the malware and regain access; the agency has observed re-exploitation of devices it had previously notified. ASD urged operators to apply patches, reduce public exposure of device web interfaces and follow Cisco’s hardening guidelines. It also recommended reviewing running configurations for unexpected privilege 15 accounts, removing suspicious account names such as “cisco_tac_admin” or similarly random strings, checking for unknown tunnel interfaces and reviewing TACACS+ command accounting logs where enabled.