Australia warns of attacks on unpatched Cisco IOS XE devices exploiting CVE-2023-20198, allowing BadCandy webshell install.—————————————————————————————————————————The Australian Signals Directorate (ASD) warns of ongoing attacks on unpatched Cisco IOS XE devices exploiting [CVE-2023-20198](https://securityaffairs.com/152552/hacking/cisco-ios-xe-zero-day.html), allowing BadCandy webshell infections and admin takeover.*’Cyber actors are installing an implant dubbed ‘BADCANDY’ on Cisco IOS XE devices that are vulnerable to CVE-2023-20198. Variations of the BADCANDY implant have been observed since October 2023, with renewed activity notable throughout 2024 and 2025.’ reads the [alert](https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/badcandy) issued by the ASD.*An attacker can exploit the vulnerability [CVE-2023-20198](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z) (CVSS score 10) in its IOS XE Software to gain administrator privileges and take over vulnerable routers. The [advisory](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z) published by the vendor states that the exploitation of the vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access.The flaw affects physical and virtual devices running with the Web User Interface (Web UI) feature enabled and that have the HTTP or HTTPS Server feature in use.Since July 2025, the Australian agency observed over 400 devices potentially compromised with BADCANDY in the country. As of late October 2025, over 150 devices compromised with BADCANDY in Australia are still exposed online. BADCANDY is a Lua-based webshell exploiting CVE-2023-20198 on Cisco IOS XE devices. It’s non-persistent after reboot, but attackers may retain access via stolen credentials. Patching and restricting web UI access are required to prevent re-exploitation.*’ASD believes actors are able to detect when the BADCANDY implant is removed and are re-exploiting the devices. This further highlights the need to patch against CVE-2023-20198 to avoid re-exploitation.’ continues the alert.*ASD is notifying affected entities, providing patching, reboot, hardening, and incident response guidance. The agency will continue alerts to ensure operators know their devices were compromised.Government experts recommend operators to remove BADCANDY by reviewing and deleting unauthorized privileged accounts, checking unknown tunnel interfaces, and monitoring configuration changes via TACACS+ logging.Organizations should follow [Cisco guidance](https://sec.cloudapps.cisco.com/security/center/resources/IOS_XE_hardening): disable the HTTP server feature and apply the IOS XE hardening guide to prevent future BADCANDY compromises.Follow me on Twitter: [@securityaffairs](https://twitter.com/securityaffairs) and [Facebook](https://www.facebook.com/sec.affairs) and [Mastodon](https://infosec.exchange/@securityaffairs)[Pierluigi Paganini](http://www.linkedin.com/pub/pierluigi-paganini/b/742/559)([SecurityAffairs](http://securityaffairs.co/wordpress/) — hacking, Cisco IOS XE)
Related Tags:
NAICS: 54 – Professional
Scientific
Technical Services
NAICS: 517 – Telecommunications
NAICS: 541 – Professional
Scientific
Technical Services
NAICS: 518 – Computing Infrastructure Providers
Data Processing
Web Hosting
Related Services
NAICS: 92 – Public Administration
NAICS: 51 – Information
CVE-2023-20198
Blog: Security Affairs
Exploit Public-Facing Application
Associated Indicators: