Vulnerability
Exploitation Wave ×2
BadCandy exploitation of Cisco IOS XE routers in Australia
Updated 01.11.2025 15:43
Case score 70
Score breakdown
- Total
- 70
- Lead score
- 65
- Support bonus
- +5 / 20
- Scoring support
- 2
- Context members
- 0
Top contributors
- Vulnerability Anchors the case on the **Cisco IOS XE** web UI flaw and the takeover path used to plant **BadCandy**. base
- Exploitation Wave Adds the Australia exploitation-wave reporting, compromise counts, and remediation guidance for the same **CVE-2023-20198** activity. support
- Exploitation Wave Reinforces the same **BadCandy** reinfection pattern on exposed **Cisco IOS XE** systems in Australia. support
Case score 70
Members 3
Latest activity 01.11.2025 15:43
Active exploitation
Public PoC/exploit reported
Patch available
CVSS: 10.0 Critical
Active exploitation
Public PoC/exploit reported
Patch available
CVSS: 10.0 Critical
Members 3
First seen 31.10.2025 17:38
Last seen 01.11.2025 15:43
Updated 01.11.2025 15:43
Overview
Ongoing exploitation of **CVE-2023-20198** on **Cisco IOS XE** routers in Australia is letting operators plant the **BadCandy** webshell on exposed management interfaces. Cisco fixed the flaw in October 2023, but available evidence shows repeated compromise across 2024 and 2025 on systems that stayed reachable and unpatched.
ASD says as many as **400 devices** may have been compromised since July 2025, with **more than 150** still compromised in late October 2025. Operators are being told to patch, harden the web UI, and review privileged accounts and command-accounting logs; rebooting alone does not remove the underlying exposure.
Attackers are exploiting **CVE-2023-20198** on **Cisco IOS XE** devices in Australia to plant the **BadCandy** Lua webshell on exposed routers. The flaw lets a remote unauthenticated attacker create a local admin account through the web interface and take control of the device. Cisco fixed the vulnerability in October 2023, but public exploit availability and exposed management interfaces kept the attack path open through 2024 and 2025.
ASD assessed that as many as **400 devices** in Australia were potentially compromised since July 2025, and more than **150 devices** were still compromised in late October 2025. The webshell is removed on reboot, but attackers can reintroduce it whenever the web interface remains reachable, so rebooting alone does not close the exposure. ASD and Cisco are telling operators to patch, harden access to the web user interface, review privileged accounts and TACACS+ command accounting logs, and contact affected owners through ISPs where needed. Available evidence does not establish the full global reach or firm attribution for the activity, so the broader scope remains unquantified.