The Australian Signals Directorate (ASD) has raised an alarm about ongoing cyber attacks on unpatched Cisco IOS XE devices within Australia, employing a previously undocumented malware dubbed BADCANDY. This malicious activity exploits a critical vulnerability identified as CVE-2023-20198, which has a CVSS score of 10.0. This vulnerability allows remote, unauthenticated attackers to create accounts with elevated privileges, granting them control over affected systems.
Since its discovery, the vulnerability has been actively exploited, particularly by threat actors affiliated with China, such as the group known as Salt Typhoon, who have targeted telecommunications providers in recent months. The ASD has detected various versions of BADCANDY since October 2023, with a concerning number of continued attacks recorded into 2024 and 2025. It is reported that approximately 400 devices in Australia have been compromised since July 2025, with 150 incidents occurring just in October.
BADCANDY is described as a low-footprint, Lua-based web shell. The attackers typically implement a temporary patch post-compromise to obscure the vulnerability status of the device in relation to CVE-2023-20198. This non-persistent feature implies that while the malware may not survive system reboots, the attackers can easily reintroduce it if the device remains unpatched and internet-exposed. The ASD has noted a capability among the attackers to detect the removal of the implant, leading to repeated infections of the same devices.
The ASD emphasizes the importance of addressing these vulnerabilities swiftly. They urge system operators to implement the necessary patches, minimize public exposure of the web user interface, and adhere to hardening guidelines provided by Cisco to forestall further exploitation attempts.
Key actions recommended by the ASD include:
- Reviewing the running configuration for accounts with privilege 15, removing any unexpected or unauthorized accounts.
- Checking for accounts with random strings or common usernames known to be exploited.
- Reviewing configurations for any unidentified tunnel interfaces and scrutinizing TACACS+ command accounting logging to track changes.
Failure to take these steps may leave systems vulnerable to repeated attacks.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.