Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Cisco IOS XE BadCandy exploitation wave

Exploitation Wave
First reported
Last updated
Happening score
H score 37
1 unique sources, 1 articles

Summary

Hide ▲

Ongoing BadCandy exploitation of unpatched Cisco IOS XE devices in Australia has left over 150 devices compromised and enabled repeat re-infection on previously alerted routers. The wave uses CVE-2023-20198 to plant a Lua-based webshell that can grant root-level command execution. Cisco fixed the flaw in October 2023, but exposed systems remained vulnerable to renewed abuse through 2024 and 2025.

Cases

BadCandy exploitation of Cisco IOS XE routers in Australia (3)

Related Happenings

Cisco ThousandEyes and Nexus security patches

Security Patch Release
First: 21.05.2026 15:04 Last: 21.05.2026 15:04 Sources 1

About this happening: Cisco released patches for **three medium-severity vulnerabilities** affecting **ThousandEyes Virtual Appliance**, **ThousandEyes Enterprise Agent**, and **Nexus 3000/9000 switche...

Open Happening

Cisco Secure Workload REST API validation/authentication flaw (CVE-2026-20223)

Vulnerability
First: 21.05.2026 15:04 Last: 21.05.2026 15:04 Sources 1

About this happening: **Cisco Secure Workload Cluster Software** was patched for **CVE-2026-20223**, a **critical** REST API flaw that could let attackers gain **Site Admin privileges** and cross tenan...

Open Happening

Cisco Catalyst SD-WAN authentication bypass flaw actively exploited (CVE-2026-20182)

Vulnerability
First: 14.05.2026 23:09 Last: 14.05.2026 23:09 Sources 1

About this happening: **CVE-2026-20182** is an actively exploited **authentication bypass** in **Cisco Catalyst SD-WAN Controller** and **Cisco Catalyst SD-WAN Manager**, creating a path to **administr...

Latest development: 14.05.2026 23:25

Cisco released a patch for CVE-2026-20182, giving organizations using Cisco Catalyst SD-WAN Controllers a way to block the authentication bypass before UAT-8616 can continue using it for administrative access, SSH key insertion, NETCONF changes, and root escalation.

Open Happening

Cisco security patch release for CVE-2026-20188

Security Patch Release
First: 06.05.2026 21:06 Last: 06.05.2026 21:06 Sources 1

About this happening: **Cisco** released security updates for **CVE-2026-20188**, a high-severity **DoS vulnerability** in **Crosswork Network Controller (CNC)** and **Network Services Orchestrator (NS...

Open Happening

Cisco Catalyst SD-WAN Manager information disclosure vulnerability (CVE-2026-20133)

Vulnerability
First: 21.04.2026 15:30 Last: 21.04.2026 15:30 Sources 1

About this happening: CISA moved **CVE-2026-20133** in **Cisco Catalyst SD-WAN Manager** into its **KEV Catalog**, signaling **active exploitation** against **unpatched devices** and forcing **FCEB age...

Open Happening

Timeline

  1. 31.10.2025 17:38 2 articles · 6mo ago

    Australia warns of ongoing BadCandy infections on unpatched Cisco IOS XE devices

    Initial Disclosure

    The Australian government warns that unpatched Cisco IOS XE devices in Australia are being targeted with the BadCandy Lua-based webshell through CVE-2023-20198, with attackers able to create a local admin user through the web interface, gain root-level command execution, and reintroduce the implant after reboot if the web interface remains accessible. ASD assesses that over 400 devices were potentially compromised since July 2025 and that over 150 devices were still compromised as of late October 2025, while also sending victim notifications with patching, hardening, and incident-response instructions and asking ISPs to help contact owners whose devices cannot be identified.

    Show sources
    Open in new tab