Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact
Vulnerability Exploitation Wave ×2

BadCandy exploitation of Cisco IOS XE routers in Australia

Updated 01.11.2025 15:43
Case score 70
Case score 70 Members 3 Latest activity 01.11.2025 15:43
Active exploitation Public PoC/exploit reported Patch available CVSS: 10.0 Critical
Members 3 First seen 31.10.2025 17:38 Last seen 01.11.2025 15:43 Updated 01.11.2025 15:43

Overview

Ongoing exploitation of **CVE-2023-20198** on **Cisco IOS XE** routers in Australia is letting operators plant the **BadCandy** webshell on exposed management interfaces. Cisco fixed the flaw in October 2023, but available evidence shows repeated compromise across 2024 and 2025 on systems that stayed reachable and unpatched. ASD says as many as **400 devices** may have been compromised since July 2025, with **more than 150** still compromised in late October 2025. Operators are being told to patch, harden the web UI, and review privileged accounts and command-accounting logs; rebooting alone does not remove the underlying exposure.

Signals

8 derived
Impact signals
Affected As many as 400 devices in Australia may have been compromised since July 2025, including 150 in October. Affected as many as 400 devices in Australia since July 2025 Affected over 150 devices compromised in Australia Affected over 400 devices potentially compromised since July 2025; over 150 devices still compromised as at late October 2025
Exploitation
Exploitation Active exploitation CVSS 10.0 Critical Exploit Public PoC/exploit reported
CVEs/products
CVE
Victims/regions
Victim region Australia Victim region United States
Remediation
Remediation Patch available
Threat context
Threat context BadCandy

Malware context

1 families

Member happenings

3 related
Vulnerability Cisco IOS XE remote admin flaw (CVE-2023-20198)
Updated 31.10.2025 17:38 Lead Contribution 65
Exploitation Active Exploitation Exploit Public Exploit CVSS 10.0 Critical Patch Patch Available

Ongoing exploitation of **CVE-2023-20198** keeps **Cisco IOS XE** devices exposed to **BadCandy** webshell planting, with confirmed compromise activity in **Australia** and cleanup-resistant reinfection. **Cisco** fixed the flaw in **October 2023**, but a **public exploit** and unpatched systems continue to drive abuse. The flaw lets remote unauthenticated attackers create a local admin user through the web interface and take over devices.

View happening
Exploitation Wave Cisco IOS XE BADCANDY exploitation wave (CVE-2023-20198)
Updated 01.11.2025 15:43 Scoring Support Contribution 3
Exploitation Active Exploitation CVSS 10.0 Critical Patch Patch Available

A sustained **BADCANDY** exploitation wave is targeting **unpatched Cisco IOS XE devices** in **Australia**, with repeated compromise linked to **CVE-2023-20198**. ASD estimated up to **400 devices** have been affected since **July 2025**, including **150 in October**. The activity has persisted since **October 2023** and continued through **2024 and 2025**. Exposed systems remain at risk of reinfection when they stay reachable and unpatched.

View happening
Exploitation Wave Cisco IOS XE BadCandy exploitation wave
Updated 31.10.2025 17:38 Scoring Support Contribution 2
Exploitation Active Exploitation Patch Patch Available

Ongoing **BadCandy** exploitation of **unpatched Cisco IOS XE devices** in **Australia** has left **over 150 devices** compromised and enabled repeat re-infection on previously alerted routers. The wave uses **CVE-2023-20198** to plant a **Lua-based webshell** that can grant **root-level command execution**. Cisco fixed the flaw in **October 2023**, but exposed systems remained vulnerable to renewed abuse through **2024 and 2025**.

View happening