TLP: CLEAR - ASD Warns of Ongoing BADCANDY Attacks Exploiting Cisco IOS XE Vulnerability

Advisory ID: NCC-CSIRT-2025-023

Summary: 

The Australian Signals Directorate (ASD) has issued an alert on BADCANDY, a malicious implant actively exploiting a critical Cisco IOS XE vulnerability (CVE-2023-20198, CVSS 10.0). The exploit allows remote attackers to gain full administrative control of Cisco routers and switches without authentication. Once compromised, attackers deploy a Lua-based backdoor (BADCANDY) to execute commands, hide traces, and maintain control of affected systems.

Over 400 devices have been compromised globally since July 2025, with active infections reported across telecommunications and internet service networks. The persistence and global spread of this campaign raise concerns that similar attacks could target telecommunication infrastructure in West Africa, including Nigeria, due to the widespread deployment of Cisco IOS XE devices in the region.

Damage/Probability: Critical/High

Product(s): 

• Cisco IOS XE Software (web user interface / HTTP/HTTPS server features)
• Cisco routers and switches running IOS XE with the exposed Web UI feature
• Network edge infrastructure used by Telecom Operators, ISPs, and Government Agencies

Version(s): 

All versions of Cisco IOS XE Software before the official patch for CVE-2023-20198.

Platform(s): 

Edge routers and switches in enterprise, government, and service-provider networks, particularly those with Internet-exposed Web UI features.

Description: 

Attackers exploit the Cisco IOS XE Web UI feature to create a privileged (level 15) account, granting full administrative rights. They then deploy the BADCANDY implant, a Lua-based web shell that executes arbitrary commands and hides malicious configuration changes.

The implant may be removed upon reboot, but attackers can regain access through previously created accounts or re-exploitation of the same vulnerability. Repeated compromises have been observed globally, confirming active and automated scanning for unpatched devices.

Technical indicators include:

• Presence of unknown or unauthorized level 15 privileged accounts (e.g., cisco_tac_admin, cisco_support, or random names).
• Unfamiliar tunnel interfaces or modified routing configurations.
• Unexpected HTTP/HTTPS access to IOS XE management ports from the Internet.
• Logs showing configuration changes outside maintenance windows.

Impacts: 

• Full takeover of routers and switches, allowing interception of traffic, rerouting, and installation of additional malware.
• Data exfiltration and espionage on telecom backbones and enterprise networks.
• Reinfection risk, as ASD confirmed that unpatched devices may be compromised repeatedly even after malware removal.
• Service disruption or manipulation of routing tables, posing significant operational and regulatory risks for telecom operators and ISPs.
• Potential spillover to national networks, as similar tactics could be used against Government communication backbones or critical national infrastructure.

Solutions:  

NCC-CSIRT recommend the following mitigation steps:

• Conduct an immediate security audit of all Cisco IOS XE routers, particularly those with public IP interfaces.
• Immediate patching: Apply Cisco’s official patch for CVE-2023-20198 on all affected IOS XE devices.
• Reboot and harden: Reboot patched devices to clear the implant, then disable the Web UI (IP http server / IP http secure server) unless strictly necessary.
• Account and configuration audit:
• Review all admin-level accounts.
• Remove unknown or unauthorized users.
• Inspect tunnel and interface configurations.
• Restrict access:
• Block HTTP/HTTPS management ports (TCP/80 and 443) from public access.
• Limit administrative access to internal management networks or VPN.
• Implement continuous monitoring:
• Enable AAA logging for configuration changes.
• Use SIEM tools to detect new accounts or altered configurations.
• Apply Cisco hardening guidelines for IOS XE devices used in telecom and enterprise environments.
• Network segmentation: Isolate management interfaces from operational traffic.

References:

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-webui-HfwnRgk

• https://www.bleepingcomputer.com/news/security/australia-warns-of-badcandy-infections-on-unpatched-cisco-devices/

• https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/badcandy

•  

  https://thehackernews.com/2025/11/asd-warns-of-ongoing-badcandy-attacks.html

• https://securityaffairs.com/184095/hacking/badcandy-webshell-threatens-unpatched-cisco-ios-xe-devices-warns-australian-government.html

•  

  https://cybersecuritynews.com/cisco-ios-xe-badcandy-web-shell/#google_vignette

•  

  https://cyberpress.org/badcandy-web-shell/

•  

  https://research.splunk.com/web/07c36cda-6567-43c3-bc1a-89dff61e2cd9/

• https://itsecuritynewsbox.com/index.php/2025/11/01/badcandy-webshell-threatens-unpatched-cisco-ios-xe-devices-warns-australian-government/