Key Metrics
13.86
Heat Index-
Impact LevelMedium
-
Scope LevelNational
-
Last Update2025-11-03
Key Impacts
Positive Impacts (4)
Negative Impacts (3)
Event Overview
A critical vulnerability in Cisco IOS XE devices is being exploited by cyber attackers, leading to the deployment of BADCANDY malware. This highlights the ongoing threat to unpatched network infrastructure and the need for robust cybersecurity measures.
Collect Records
Australian Signals Directorate Warns of BADCANDY Malware Exploiting Cisco IOS XE Devices
The Australian Signals Directorate (ASD) has issued a warning about ongoing cyber attacks targeting unpatched Cisco IOS XE devices in Australia. The attacks exploit a critical vulnerability, CVE-2023-20198, with a CVSS score of 10.0, which allows remote, unauthenticated attackers to create an implant known as BADCANDY. Approximately 400 devices in Australia are estimated to have been affected. Since July 2025, multiple devices have been compromised by the BADCANDY malware, with 150 infections occurring in October. BADCANDY is a Lua-based web shell used by cyber actors, including China-linked threat actors such as Salt Typhoon, who often apply a non-persistent patch to hide the vulnerability. The absence of a persistence mechanism means the malware does not survive system reboots. Unpatched and internet-exposed devices can be reinfected with malware by threat actors who detect when the implant is removed. ASD has observed that reexploitation occurs even after initial notifications to affected entities. A reboot does not reverse other malicious actions already taken. The security alert highlights the importance of system operators applying patches, limiting public access to web user interfaces, and following Cisco's hardening guidelines to prevent exploitation.