![\"\"](\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivjJxC82aGCds7xQg0mAqxFwkMrJCO3JdIyu5ShCl2QYOrnrJpOdBSnJdlnN1euQiL6blI-sBypwPP-nCcWSrkvxZkNGsH1yb9zE7bgLKXOpwFvit66JlEtekICCBuPxgMY6uYJaWAMyXYmAvvdsrdjoV6qzVdSyPUjzS332wVtMWxg4AaF2DTiYrfmQQM/s790-rw-e365/cisco.jpg\")
The Australian Signals Directorate (ASD) has issued a bulletin regarding ongoing cyber attacks targeting unpatched Cisco IOS XE devices in Australia with a newly discovered implant called BADCANDY.
According to the intelligence agency, the attacks exploit CVE-2023-20198 (CVSS score: 10.0), a critical vulnerability that enables remote, unauthenticated attackers to create an account with elevated privileges and take control of vulnerable systems.
This security flaw has been actively exploited since 2023, with threat actors linked to China, such as Salt Typhoon, leveraging it to breach telecommunications providers in recent months.
![\"DFIR](\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-X-E4jERutAGUVjhgWkMe8ShYj1nqWzq1SqeBFJikipPF-xT70YnaSLlaR3UkhNP8Q47kifLbAEGXpknthRo_lfqDawf05df5ozIbkBTrupYoGXl8axiISZxIKgHQ8GOm47oYIZ9l8PnjNrSw_NpS6YzSZzvy0bhoqKd91EG3BcIs3jONhIjeB4iXl-dY/s738-e100/zz--inside-d.png\")
ASD has identified variations of BADCANDY since October 2023, with new attacks continuing in 2024 and 2025. An estimated 400 devices in Australia have been compromised by the malware since July 2025, with 150 of them infected in October alone.
\”BADCANDY is a low-equity Lua-based web shell, and cyber actors typically apply a non-persistent patch post-compromise to conceal the device’s vulnerability status related to CVE-2023-20198,\” the agency stated. \”The presence of the BADCANDY implant indicates the compromise of the Cisco IOS XE device via CVE-2023-20198 in these instances.\”
Although lacking a persistence mechanism, the malware can be reintroduced by threat actors if the device remains unpatched and exposed to the internet, enabling them to regain access.
ASD has observed that threat actors can detect when the implant is removed and reinfect devices, as evidenced by re-exploitation on devices previously notified by the agency to affected entities.
While a reboot will not reverse other actions taken by attackers, it is crucial for system operators to apply patches, reduce public exposure of the web user interface, and follow Cisco’s hardening guidelines to thwart future exploitation attempts.
![\"CIS](\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_HDUlvbnYoGKWPtfjTL83IuUQ73P6igcLnrsVdRjU2sVKjgD6kcX1QX3psmxbKnQ-GfeZ5xCNgnJF64an1ZS4C9mxkNAfVoSaNVMTGdlCMv4nchoUdLGCDbdB6BQWiRScizTQjINO1DArRQdcgzs5CbapyRNjTVLX_RBZ4eS9Kg3iB7UkazuU0e5YlPLZ/s728-e100/sem-d.png\")
The agency has outlined the following actions:
- Review the running configuration for accounts with privilege 15 and remove unexpected or unauthorized accounts
- Review accounts with random strings or \”cisco_tac_admin,\” \”cisco_support,\” \”cisco_sys_manager,\” or \”cisco\” and remove if not legitimate
- Review the running configuration for unknown tunnel interfaces
- Review TACACS+ AAA command accounting logging for configuration changes if enabled
