Cisco IOS XE BadCandy exploitation wave
Exploitation Wave
Summary
Hide ▲
Show ▼
Ongoing BadCandy exploitation of unpatched Cisco IOS XE devices in Australia has left over 150 devices compromised and enabled repeat re-infection on previously alerted routers. The wave uses CVE-2023-20198 to plant a Lua-based webshell that can grant root-level command execution. Cisco fixed the flaw in October 2023, but exposed systems remained vulnerable to renewed abuse through 2024 and 2025.
Cases
Related Happenings
Cisco Catalyst SD-WAN Manager root privilege escalation flaw (CVE-2026-20245)
Vulnerability
H score60
First: 05.06.2026 09:24
Last: 05.06.2026 09:24
Sources 1
About this happening:
**CVE-2026-20245** in **Cisco Catalyst SD-WAN Manager** is an **actively exploited** **high-severity** vulnerability that can let an **authenticated local attacker** with **netadm...
Cisco Catalyst SD-WAN Manager root privilege escalation flaw (CVE-2026-20245)
VulnerabilityAbout this happening: **CVE-2026-20245** in **Cisco Catalyst SD-WAN Manager** is an **actively exploited** **high-severity** vulnerability that can let an **authenticated local attacker** with **netadm...
Latest development: 06.06.2026 07:19
Cisco warned that CVE-2026-20245 in Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, is under active exploitation and can let an authenticated local attacker with netadmin privileges upload a crafted file to execute arbitrary commands as root. Cisco said the flaw affects On-Prem Deployment, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Government (FedRAMP), that limited exploitation has already resulted in configuration changes pushed to edge devices, and that no patches or mitigations are currently available. Cisco also advised checking /var/log/scripts.log for indicators of compromise and credited Google Mandiant researchers Chester Sng, Pete Boonyakarn, and Logeswaran Nadarajan with discovering and reporting the issue.
Cisco Unified CM SSRF root-privilege flaw (CVE-2026-20230)
Vulnerability
H score49
First: 04.06.2026 14:09
Last: 04.06.2026 14:09
Sources 1
About this happening:
**CVE-2026-20230** exposes **Cisco Unified CM** systems with **WebDialer enabled** to remote **SSRF** abuse that can lead to **root-level compromise**. The flaw can be triggered w...
Cisco Unified CM SSRF root-privilege flaw (CVE-2026-20230)
VulnerabilityAbout this happening: **CVE-2026-20230** exposes **Cisco Unified CM** systems with **WebDialer enabled** to remote **SSRF** abuse that can lead to **root-level compromise**. The flaw can be triggered w...
Latest development: 26.06.2026 22:43
Cisco released a patch for CVE-2026-20230 in Cisco Unified Communications Manager Server and warned that the critical server-side request forgery flaw could be exploited remotely and without authentication via specially crafted HTTP requests.
Cisco Unified Communications Manager security update for CVE-2026-20230
Security Patch Release
H score56
First: 04.06.2026 14:09
Last: 04.06.2026 14:09
Sources 1
About this happening:
Cisco released **security updates** for **Cisco Unified Communications Manager (Unified CM)** to fix **CVE-2026-20230**, a **critical** flaw that could let a remote attacker reach...
Cisco Unified Communications Manager security update for CVE-2026-20230
Security Patch ReleaseAbout this happening: Cisco released **security updates** for **Cisco Unified Communications Manager (Unified CM)** to fix **CVE-2026-20230**, a **critical** flaw that could let a remote attacker reach...
Cisco ThousandEyes and Nexus security patches
Security Patch Release
H score31
First: 21.05.2026 15:04
Last: 21.05.2026 15:04
Sources 1
About this happening:
Cisco released patches for **three medium-severity vulnerabilities** affecting **ThousandEyes Virtual Appliance**, **ThousandEyes Enterprise Agent**, and **Nexus 3000/9000 switche...
Cisco ThousandEyes and Nexus security patches
Security Patch ReleaseAbout this happening: Cisco released patches for **three medium-severity vulnerabilities** affecting **ThousandEyes Virtual Appliance**, **ThousandEyes Enterprise Agent**, and **Nexus 3000/9000 switche...
Cisco Secure Workload REST API validation/authentication flaw (CVE-2026-20223)
Vulnerability
H score49
First: 21.05.2026 15:04
Last: 21.05.2026 15:04
Sources 1
About this happening:
**Cisco Secure Workload Cluster Software** was patched for **CVE-2026-20223**, a **critical** REST API flaw that could let attackers gain **Site Admin privileges** and cross tenan...
Cisco Secure Workload REST API validation/authentication flaw (CVE-2026-20223)
VulnerabilityAbout this happening: **Cisco Secure Workload Cluster Software** was patched for **CVE-2026-20223**, a **critical** REST API flaw that could let attackers gain **Site Admin privileges** and cross tenan...
Timeline
-
31.10.2025 17:38 2 articles · 8mo ago
Australia warns of ongoing BadCandy infections on unpatched Cisco IOS XE devices
Initial DisclosureThe Australian government warns that unpatched Cisco IOS XE devices in Australia are being targeted with the BadCandy Lua-based webshell through CVE-2023-20198, with attackers able to create a local admin user through the web interface, gain root-level command execution, and reintroduce the implant after reboot if the web interface remains accessible. ASD assesses that over 400 devices were potentially compromised since July 2025 and that over 150 devices were still compromised as of late October 2025, while also sending victim notifications with patching, hardening, and incident-response instructions and asking ISPs to help contact owners whose devices cannot be identified.
Show sources
- Australia warns of BadCandy infections on unpatched Cisco devices — www.bleepingcomputer.com — 31.10.2025 17:38
- Australia warns of BadCandy infections on unpatched Cisco devices — www.bleepingcomputer.com — 31.10.2025 17:38