The Australian government has released a warning about ongoing attacks targeting unpatched Cisco IOS XE devices across the country. According to a bulletin from the Australian Signals Directorate (ASD), threat actors are exploiting a critical vulnerability to install the BadCandy webshell, allowing them to take full control of affected routers.
The exploited flaw, tracked as CVE-2023-20198, is an improper privilege management issue that allows remote, unauthenticated attackers to create a local administrative user through the web interface and seize control of the device. Cisco patched the issue in October 2023, but the flaw came under widespread exploitation following the release of a public exploit.
According to the ASD, BadCandy variants, first spotted in 2023, have been observed throughout 2024 and 2025. BadCandy is a low equity Lua-based web shell that grants attackers root-level command execution on compromised systems.
“The BadCandy implant does not persist following a device reboot however, where an actor has accessed account credentials or other forms of persistence, the actor may retain access to the device or network. The patch for CVE-2023-20198 must be applied to prevent re-exploitation. Access to the web user interface should also be restricted if enabled,” the Australian agency said, noting that over 400 devices have been potentially infected with the malware since July 2025. As at late October 2025, there are still over 150 devices compromised with BADCANDY in Australia.
Security analysts have previously linked earlier BadCandy campaigns to state-backed groups, including Salt Typhoon, a Chinese threat actor previously linked to attacks against telecommunications providers in the US and Canada.