Executive Summary

The Australian Signals Directorate (ASD) has released a high-priority alert regarding a new malware implant named BADCANDY that is being actively deployed against unpatched Cisco IOS XE devices in Australia. The attackers are exploiting CVE-2023-20198, a maximum-severity (CVSS 10.0) vulnerability that allows for unauthenticated remote code execution. The campaign has shown a recent surge, with the ASD identifying 150 compromised devices in October 2025, bringing the total to approximately 400 since July 2025. The BADCANDY implant is a Lua-based web shell that gives attackers persistent access as long as the device is not rebooted. The attackers have been observed reinfecting devices after the implant is removed, indicating a persistent and determined adversary.

Vulnerability Details

• CVE-2023-20198: This critical vulnerability resides in the web UI feature of Cisco IOS XE software. It allows a remote, unauthenticated attacker to create a local user account with privilege level 15 (full administrative access) and gain complete control of the device. The vulnerability was first disclosed and exploited in late 2023, with China-linked groups like Salt Typhoon using it to compromise telecommunications infrastructure.

Threat Overview

The current campaign involves the deployment of the BADCANDY implant. This malware is a Lua-based web shell that is written to the device's file system. It allows the attacker to execute arbitrary commands on the compromised device. A key tactic observed by the ASD is that after deploying BADCANDY, the attackers apply a non-persistent patch to the device's web server in memory. This masks the device from being detected by scanners looking for CVE-2023-20198, giving the device owner a false sense of security. However, the presence of the implant itself is definitive proof of compromise.

Technical Analysis

• Initial Access (T1190 - Exploit Public-Facing Application): The attackers gain initial access by exploiting CVE-2023-20198 on unpatched, internet-facing Cisco IOS XE devices.
• Persistence (T1505.003 - Server Software Component: Web Shell): The BADCANDY implant is installed, which functions as a web shell, providing the attacker with a persistent method to execute commands via HTTP/S requests.
• Defense Evasion (T1562.007 - Disable or Modify Tools): The attackers patch the vulnerability in memory post-exploitation. This is a clever defense evasion tactic designed to thwart vulnerability scanners.
• Non-Persistence: The BADCANDY implant and the in-memory patch do not survive a reboot. However, the ASD has observed that the attackers are actively monitoring their implants and will quickly reinfect a device if it is rebooted but not properly patched.

Impact Assessment

Compromise of network infrastructure devices like routers and switches is extremely serious. An attacker with full control over these devices can:

• Monitor, redirect, or modify network traffic passing through the device.
• Use the compromised device as a pivot point to launch further attacks into the internal network.
• Disrupt network operations, causing outages.
• Maintain long-term, stealthy persistence within a target's perimeter. The targeting of telecommunications providers and other critical infrastructure operators poses a national security risk.

Detection Methods

• Cisco's check-integrity.py script: Cisco has provided a script to check for the presence of the implant. This should be run on all suspect devices.
• Manual Inspection: Administrators can check for the presence of the BADCANDY implant by running the command show running-config | include ip http active-session-modules. The presence of badcandy indicates a compromise.
• Network Traffic Analysis: Monitor for unusual HTTP/S requests to the device's web UI, especially those that do not align with normal administrative activity.

Remediation Steps

1. Patch Immediately (M1051 - Update Software): The only definitive solution is to upgrade all Cisco IOS XE devices to a patched software version as recommended in the Cisco security advisory.
2. Disable Web UI: If the web UI is not required for business purposes, disable it on all internet-facing devices to completely remove the attack surface. This can be done with the command no ip http server or no ip http secure-server.
3. Assume Breach: If a device was vulnerable and exposed to the internet, assume it has been compromised. Follow incident response procedures, which should include wiping the device and restoring from a known-good configuration after patching.
4. Restrict Access: Limit access to the web UI to a dedicated management network and trusted IP addresses only.