Attackers Exploit Cisco IOS XE Vulnerability to Deploy BADCANDY Web Shell

Cybersecurity authorities are warning of ongoing exploitation campaigns targeting Cisco IOS XE devices through a critical vulnerability, with threat actors deploying a sophisticated web shell known as BADCANDY.

Australia’s Signals Directorate (ASD) has confirmed that over 150 devices remain compromised across the country as of late October 2025, despite extensive remediation efforts spanning more than two years.

The BADCANDY implant represents a persistent threat to organizations running vulnerable Cisco IOS XE Software with the web user interface feature enabled.

This Lua-based web shell has been actively deployed since October 2023, with ASD observing renewed exploitation activity throughout 2024 and continuing into 2025.

Security researchers characterize BADCANDY as a low-equity implant, meaning it requires relatively minimal technical sophistication to deploy once initial access is gained.

What makes this threat particularly concerning is the attackers’ methodology following compromise. Cyber actors have been observed applying non-persistent patches to vulnerable devices post-exploitation, effectively masking the device’s vulnerability status and making detection significantly more challenging for network administrators.

The implant leverages CVE-2023-20198, a critical privilege escalation vulnerability affecting Cisco IOS XE Software’s web UI feature that carries a maximum CVSS score of 10.0.

While the BADCANDY implant itself does not persist following a device reboot, the threat extends beyond simple malware removal.

Sophisticated threat actors frequently exfiltrate account credentials or establish alternative persistence mechanisms during their initial compromise, allowing them to maintain network access even after the implant is removed.

This reality has created a dangerous cycle of re-exploitation, as unpatched devices with exposed web interfaces remain vulnerable to repeated attacks.

CVE-2023-20198 Powers Widespread Campaign

The vulnerability enabling these attacks, CVE-2023-20198, affects the web user interface feature of Cisco IOS XE Software and allows remote, unauthenticated attackers to create highly privileged accounts on vulnerable systems.

Once exploited, threat actors gain complete control over affected devices, positioning them to pivot deeper into enterprise networks or intercept sensitive communications flowing through these critical infrastructure components.

This vulnerability has gained notoriety within the cybersecurity community, earning a place among the top routinely exploited vulnerabilities of 2023.

Advanced persistent threat groups have incorporated CVE-2023-20198 into their operational playbooks, with ASD specifically identifying SALT TYPHOON as one actor leveraging this attack vector for global espionage operations.

The vulnerability’s exploitation requires the web UI feature to be enabled through either the “ip http server” or “ip http secure-server” commands in the device configuration.

Security telemetry from Australia demonstrates the scale of this ongoing threat. ASD assessed that over 400 devices were potentially compromised with BADCANDY since July 2025 alone.

While victim notification campaigns have achieved some success in reducing infections, the number of compromised devices has stabilized around 150 as of late October 2025.

This plateau indicates that threat actors are continuously scanning for vulnerable devices and re-exploiting systems where administrators have removed the implant without applying the underlying security patch.

Intelligence assessments from ASD indicate that both criminal and state-sponsored cyber actors are leveraging the BADCANDY implant for various objectives.

The relatively low technical barrier to deploying this web shell has made it attractive to a diverse range of threat actors, from financially motivated cybercriminals to sophisticated espionage groups conducting long-term intelligence collection operations.

Evidence suggests that threat actors possess the capability to detect when the BADCANDY implant has been removed from a compromised device.

This sophisticated monitoring enables them to rapidly re-exploit unpatched systems, sometimes targeting the same devices that ASD had previously issued victim notifications for. This cat-and-mouse dynamic underscores the critical importance of applying the official Cisco patch rather than simply removing the implant through device reboots.

Remediation Required to Eliminate Threat

Security experts emphasize that organizations must take multiple coordinated actions to effectively address BADCANDY compromises. Simply rebooting affected devices will remove the implant but leaves the underlying vulnerability unresolved, creating an opportunity for immediate re-exploitation.

Administrators must examine running configurations for suspicious accounts with privilege 15 access, particularly those containing random strings or names like “cisco_tac_admin,” “cisco_support,” “cisco_sys_manager,” or “cisco”. Unknown tunnel interfaces appearing as “interface tunnel[number]” in configurations should also be investigated and removed.

Cisco has published comprehensive security advisories detailing fixed software releases for affected IOS XE versions, including 17.9.4a, 17.6.6a, 17.3.8a, and 16.12.10a for specific Catalyst switch models.

Organizations must apply these patches and follow Cisco’s hardening guidance, particularly recommendations to disable the HTTP server feature unless absolutely required for operations. For networks requiring web UI access, administrators should implement strict access control lists restricting connectivity to trusted source addresses only.

ASD continues conducting victim notifications through service providers when system operators cannot be directly identified, providing detailed instructions for incident response and remediation.

The persistent nature of this threat campaign, spanning more than two years with active re-exploitation occurring regularly, demonstrates that edge device security requires ongoing vigilance and prompt patching to protect critical network infrastructure from compromise.

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.

The post Attackers Exploit Cisco IOS XE Vulnerability to Deploy BADCANDY Web Shell appeared first on Cyber Security News.