Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
The ASD’s Australian Cyber Security Centre says there are more than 150 compromised Cisco IOS XE devices embedded in Australian organisations.
The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) released an advisory late last week, warning of a malicious web-shell implant dubbed BADCANDY, which is commonly linked to a vulnerability in Cisco IOS XE devices vulnerable to CVE-2023-20198.
The implant is a low-equity Lua-based web shell first observed in October 2023, but with what the ACSC calls “renewed notable activity” throughout 2024 and 2025.
The ACSC said “cyber actors have typically applied a non-persistent patch post-compromise to mask the device’s vulnerability status in relation to CVE-2023-20198”.
“In these instances, the presence of the BADCANDY implant indicates compromise of the Cisco IOS XE device, via CVE-2023-20198,” it said.
While BADCANDY does not maintain persistence beyond a reboot of an infected device, if the hacker who first deployed the implant has access to account credentials or similar, they may be able to maintain access to the device.
CVE-2023-20198 must be patched to prevent re-exploitation, and access to the web user interface should be restricted as well.
“Since July 2025, ASD assesses over 400 devices were potentially compromised with BADCANDY in Australia,” according to the ASD.
“As at late October 2025, there are still over 150 devices compromised with BADCANDY in Australia.”
Cisco has reported active exploitation of CVE-2023-20198, with more details of indicators of compromise, patch details, and mitigation advice available in Cisco’s original security advisory. Cisco’s advice on hardening against future compromise can be found here.
Chinese APT Salt Typhoon has commonly exploited CVE-2023-20198.
The ASD notified victims of compromise in July 2025, when there were around 300 BADCANDY-infected devices in the country. The agency sent out another round of notifications in September and a third in October. The number of compromised devices has steadily decreased, but the rate of decrease has not been fast enough.
“While any actor can use this implant, ASD believes that criminal and state-sponsored cyber actors may leverage the BADCANDY implant,” the advisory said.
“Cyber actors are known to re-exploit previously compromised devices where the device has not been patched and the interface has been left exposed to the internet.
“This presents an ongoing risk to Australian networks.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
