Cybersecurity

Cybersecurity Alert: ASD Warns of Ongoing BADCANDY Attacks Targeting Cisco IOS XE

ByAyesha Sadeeqa

We have reached a critical moment in cybersecurity. The Australian Signals Directorate (ASD) has issued a warning about active attacks using a tool called BADCANDY. These attacks focus on devices running Cisco IOS XE, especially where its web‑user interface is enabled. The vulnerability under attack is known as CVE‑2023‑20198 and has a top severity score of 10.0.
We need to pay attention now because the risk is real. Many organizations still use the affected systems. The threat is unfolding globally, and we must understand what is happening, how these attacks work, and who is most at risk.

What is BADCANDY?

BADCANDY is a malware implant or web‑shell that attackers install on vulnerable Cisco IOS XE devices. It works by giving the attacker control of the device. The implant is based on the Lua programming language and is lightweight. It may not persist through a reboot, but the extra accounts it creates will.

Earlier alerts show that variations of BADCANDY have been used since October 2023, and new waves continue through 2024 and 2025. The purpose is clear: to gain administrative access to routers and switches, manipulate configurations, and possibly use them as footholds for broader attacks.

Cisco IOS XE: Importance and Vulnerabilities

Cisco IOS XE is one of the key operating systems for many enterprise and service‑provider networks. It powers routers, switches, and other core infrastructure. Because it sits at the heart of network operations, a vulnerability here can ripple across many systems. Attackers can exploit it to gain a strong advantage. The main vulnerability being exploited is CVE‑2023‑20198, which affects devices with the web UI feature enabled. An attacker who exploits this can create privileged accounts out of thin air.
Further, this vulnerability can be chained: after initial access via CVE‑2023‑20198, another flaw (CVE‑2023‑20273) allows root‑level code execution.
Many organizations failed to disable or patch the web UI feature, leaving a wide attack surface.

How BADCANDY Attacks Work

Let’s walk through the typical attack chain.

  • The attacker finds a Cisco IOS XE device with its web UI enabled.
  • They exploit CVE‑2023‑20198 to create an account with “privilege level 15”, full administrator rights.
  • With that account, they exploit CVE‑2023‑20273 to run commands as root and write the implant (BADCANDY) onto the system.
  • The implant enables remote, post‑compromise control: attackers can send commands, establish tunnels, or pivot into other parts of the network.
  • The implant is not persistent; rebooting the device removes it. But the attacker‑created accounts remain. And in many cases, they detect when the implant is gone and reinstall it.

In one example, ASD noted that since July 2025, over 400 devices in Australia were likely compromised. By late October 2025, more than 150 were still exposed. So we see how it’s not just about one vulnerability, it’s a chain with implant, re‑exploitation, and stealth.

Who is at Risk?

The highest‑risk organizations are those that use Cisco IOS XE in internet‑facing or semi‑internet‑facing roles and have not disabled the web UI feature. These include ISPs, telecom providers, large enterprises, and government agencies. Any organization that has aging infrastructure or delays patching is vulnerable. Also, companies with broadly exposed network devices (without tight access controls) are especially prey. The threat also crosses national boundaries: While the ASD‑alert focuses on Australia, the same device types and vulnerabilities exist globally. Attackers from state‑sponsored groups (e.g., the Chinese “Salt Typhoon”) have been linked to this campaign.

Broader Implications

This kind of attack underscores how critical infrastructure is at risk. Network devices are often under‑protected compared to servers or endpoints. When routers or switches are compromised, the attacker may intercept traffic, redirect flows, or hide in the network. The economic damage can be major, including downtime, data loss, and reputational harm.
Also, this shows how long‑standing vulnerabilities can persist in large systems. Even though the patch was released in October 2023, exploitation continues into 2025. That gap is dangerous. For cybersecurity broadly, it means we must pay attention to the supply chain, network infrastructure vulnerabilities, and not just endpoint threat models.

Conclusion

We’ve seen the alert from ASD about the BADCANDY attacks targeting Cisco IOS XE devices. We defined what BADCANDY is, why the Cisco system matters, how the attacks work, and who is most at risk. The key takeaway is simple: the threat is real. Devices we assume are stable could be exploited and serve as pathways for larger attacks. We need to stay alert, understand our infrastructure, and monitor for signs of compromise. In cybersecurity, awareness matters. And this case is a strong reminder that no device is too “low‑level” to be ignored.

Disclaimer:

The content shared by Meyka AI PTY LTD is solely for research and informational purposes. Meyka is not a financial advisory service, and the information provided should not be considered investment or trading advice.

Similar Posts

AI tools analyzing stock data on a digital interface with graphs for Stock Market GPTs

Top Stock Market GPT’s: Smarter Stock Picks Made Easy

ByRubaisha

AI is changing how we pick stocks. Stock Market GPT’s put advanced AI into a simple chat. They read reports, scan data, and conduct research quickly. Investors use them to save time and cut the noise. According to Meyka, these tools combine real-time data, pattern detection, and AI insights for traders and investors. Meyka highlights…

AI Startups

OpenAI and Other AI Startups Take Aim at Chrome with Innovative Browsers

ByZehra Naz

Do you know Google Chrome holds over 60% of the global browser market? For years, it’s been the top choice for many of us. It’s fast, easy to use, and connects well with Google services. But now, things are changing as AI startups are entering in market. AI is entering the browser world fast. New startups,…

Google

Google Announces $15B Investment to Build AI Infrastructure Hub in India

ByAmna Habib

Google has just unveiled a bold plan: a $15 billion investment to build a flagship AI infrastructure hub in India. This move signals not just its commitment to expansion, but also its vision to anchor India more firmly in the global artificial intelligence landscape.  Google’s Big Bet: $15B for an AI Hub in India Google…

RealSense

RealSense Breaks Away from Intel, Secures $50 Million to Advance AI Vision in Robotics

ByZain

We begin with RealSense, a company that has shaped AI vision technology for years. Formerly part of Intel, RealSense has now stepped out on its own, raising $50 million in Series A funding. This milestone fuels its mission to advance robotics with smarter, more capable depth cameras. This funding comes from big names like Intel…

China Auto Tariff

Mexico Raises China Auto Tariff to 50% Amid Trump Pressure

ByAyesha Sadeeqa

Mexico has just moved to increase tariffs on cars imported from China and other Asian nations. The rate will go from around 20% to 50%. This decision is meant to protect local jobs, factories, and businesses that have been hurt by low-cost imports. We see this as part of a bigger shift in trade policy….

Microsoft Products

Global Hack on Microsoft Products: U.S. Agencies Hit, Raising Concerns for Microsoft PowerPoint Security

ByAmna Habib

A massive global cyberattack has raised red flags for Microsoft Products. U.S. federal agencies were among the main targets. This breach has sparked serious concerns, especially around Microsoft PowerPoint security. If you’re using any Microsoft tool, it’s time to pay attention. What Happened In early July 2025, a cyberattack targeting multiple U.S. agencies was uncovered….

Leave a Reply

Your email address will not be published. Required fields are marked *