Full Report
The Australian government is warning about ongoing cyberattacks against unpatched Cisco IOS XE devices in the country to infect routers with the BadCandy webshell. [...]
Analysis Summary
# Incident Report: Persistent BadCandy Webshell Infections on Cisco IOS XE Devices
## Executive Summary
The Australian government, specifically the Australian Signals Directorate (ASD), issued warnings regarding ongoing cyberattacks exploiting the unpatched Cisco IOS XE vulnerability CVE-2023-20198 to install the BadCandy webshell on routers. Attackers gained unauthorized root-level command execution capabilities. While exploitation peaked earlier, substantial compromise remains, with over 150 devices still affected as of late October 2025, indicating widespread failure to deploy critical patches released in October 2023.
## Incident Details
- Discovery Date: Information related to the original vulnerability disclosure (October 2023), with current warnings active in late October 2025.
- Incident Date: Ongoing exploitation noted since at least 2024, with a specific warning regarding activity since July 2025.
- Affected Organization: Multiple organizations utilizing internet-exposed, unpatched Cisco IOS XE routers in Australia.
- Sector: Telecommunications (implied via state-actor context), broader infrastructure.
- Geography: Australia.
## Timeline of Events
### Initial Access
- Date/Time: Followed the public release of exploit code (circa November 2023) and continued through 2024 and 2025.
- Vector: Exploitation of **CVE-2023-20198**.
- Details: Remote, unauthenticated threat actors exploited the web user interface flaw to create a local administrator account, leading to device takeover.
### Lateral Movement
- Not explicitly detailed, but successful initial access with root privileges implies the ability to execute arbitrary commands on the compromised router.
### Data Exfiltration/Impact
- The presence of the BadCandy webshell grants root-level command execution, allowing for potential unauthorized data access, configuration changes, and ongoing espionage leveraging the compromised network perimeter device.
### Detection & Response
- Detection: Identification of BadCandy variants on devices throughout 2024 and 2025, tracked by ASD.
- Response actions: ASD sent notifications to identified victims including instructions on patching, hardening, and incident response. ASD requested ISPs contact owners of untraceable devices on their behalf.
## Attack Methodology
- Initial Access: Exploitation of Cisco IOS XE vulnerability **CVE-2023-20198**.
- Persistence: **BadCandy webshell** (Lua-based), which reintroduces itself upon reboot if the underlying vulnerability remains unpatched and the web interface is accessible.
- Privilege Escalation: Exploiting CVE-2023-20198 to gain local admin privileges, leading to **root privileges** via the webshell.
- Defense Evasion: The sophisticated nature of the ongoing campaign suggests the use of malware variants designed to remain undetected or exploit default device configurations.
- Credential Access: Not explicitly detailed, but gaining root access supersedes typical credential harvesting in this context.
- Discovery: Not detailed, but common reconnaissance is implied for identifying vulnerable internet-facing devices.
- Lateral Movement: Not detailed, but compromised routers provide an excellent pivot point into internal networks.
- Collection: Potential for command execution allows flexible data collection configured by the attacker.
- Exfiltration: Specific methods not detailed, but data could be exfiltrated via established command-and-control channels facilitated by the webshell.
- Impact: Device control, persistent remote access infrastructure, potential broader network compromise.
## Impact Assessment
- Financial: Not quantified, but significant costs related to incident response, remediation, and potential data loss mitigation are implied for hundreds of affected entities.
- Data Breach: Potential for interception of network traffic, configuration data, or related stored data on the router, though specific data types are not listed.
- Operational: Risk of network instability or Denial of Service if device functions are maliciously altered. Ongoing risk due to re-exploitation attempts.
- Reputational: Significant reputational damage to Australian organizations relying on secure communications infrastructure.
## Indicators of Compromise
- **Network indicators (defanged):** Exploitation traffic targeting the Cisco IOS XE WebUI port/interface.
- **File indicators:** BadCandy webshell artifacts (Lua-based code).
- **Behavioral indicators:** Evidence of the creation of unauthorized local administrator accounts; attempts to re-establish BadCandy implants after removal.
## Response Actions
- Containment measures: Identifying and disabling the web interface (if feasible without service disruption) on susceptible devices.
- Eradication steps: Applying the vendor-supplied patch for CVE-2023-20198. Removing existing BadCandy implants.
- Recovery actions: Monitoring devices for re-exploitation attempts and verifying configuration integrity.
## Lessons Learned
- The primary lesson is the catastrophic risk associated with failing to promptly patch maximum-severity, actively exploited vulnerabilities. Exploits for critical issues can become widely available, leading to sustained mass exploitation years later.
- Automated re-exploitation of the same vulnerable endpoints post-alerting indicates that patching mandates were not universally followed, even amidst government warnings.
## Recommendations
- Organizations must immediately verify if they run Cisco IOS XE software and apply the mandated security patches corresponding to CVE-2023-20198 (and subsequent related advisories).
- Restrict access to the Cisco IOS XE Web UI to the absolute minimum necessary trusted IP addresses or management VPNs, rather than leaving it exposed to the public internet.
- Establish robust, automated vulnerability scanning and patch management systems designed to address critical, externally facing software immediately upon patch release.