Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Cisco IOS XE remote admin flaw (CVE-2023-20198)

Vulnerability
First reported
Last updated
Happening score
H score 65
2 unique sources, 2 articles

Summary

Hide ▲

Ongoing exploitation of CVE-2023-20198 keeps Cisco IOS XE devices exposed to BadCandy webshell planting, with confirmed compromise activity in Australia and cleanup-resistant reinfection. Cisco fixed the flaw in October 2023, but a public exploit and unpatched systems continue to drive abuse. The flaw lets remote unauthenticated attackers create a local admin user through the web interface and take over devices.

Cases

BadCandy exploitation of Cisco IOS XE routers in Australia (3)

Related Happenings

Cisco Catalyst SD-WAN active exploitation wave

Exploitation Wave
First: 05.03.2026 14:15 Last: 05.03.2026 14:15 Sources 1

About this happening: **Cisco** confirmed **active exploitation** of **two recently patched Catalyst SD-WAN vulnerabilities**, creating immediate risk for exposed systems that have not been fully remed...

Open Happening

Cisco IOS XE BADCANDY exploitation wave (CVE-2023-20198)

Exploitation Wave
First: 01.11.2025 15:43 Last: 01.11.2025 15:43 Sources 1

How related: ASD noted that variations of BADCANDY have been detected since October 2023, with a fresh set of attacks continuing to be recorded in 2024 and 2025. As many as 400 devices in Australia are estimated to have been compromised with the malware since July 2025, out of which 150 devices were infected in October alone.

About this happening: A sustained **BADCANDY** exploitation wave is targeting **unpatched Cisco IOS XE devices** in **Australia**, with repeated compromise linked to **CVE-2023-20198**. ASD estimated u...

Open Happening

Cisco IOS XE BadCandy exploitation wave

Exploitation Wave
First: 31.10.2025 17:38 Last: 31.10.2025 17:38 Sources 1

How related: The Australian government is warning about ongoing cyberattacks against unpatched Cisco IOS XE devices in the country to infect routers with the BadCandy webshell.

About this happening: Ongoing **BadCandy** exploitation of **unpatched Cisco IOS XE devices** in **Australia** has left **over 150 devices** compromised and enabled repeat re-infection on previously al...

Open Happening

Operation Zero Disco Cisco IOS/IOS XE rootkit campaign

Campaign
First: 16.10.2025 14:38 Last: 16.10.2025 14:38 Sources 1

About this happening: A **new campaign** dubbed **Operation Zero Disco** exploited **CVE-2025-20352** against **Cisco IOS Software** and **IOS XE Software**, enabling **Linux rootkits** and persistent...

Open Happening

Cisco ASA and FTD active exploitation wave (CVE-2025-20333, CVE-2025-20362)

Exploitation Wave
First: 30.09.2025 19:58 Last: 30.09.2025 19:58 Sources 1

About this happening: **Cisco ASA and FTD** appliances are still under an **active exploitation wave** for **CVE-2025-20333** and **CVE-2025-20362**, with a new attack variant now causing **unexpected...

Open Happening

Timeline

  1. 01.11.2025 15:43 2 articles · 6mo ago

    ASD warns of ongoing BADCANDY attacks against unpatched Cisco IOS XE devices in Australia

    Initial Disclosure

    The Australian Signals Directorate issued a bulletin about ongoing cyber attacks in Australia targeting unpatched Cisco IOS XE devices with the previously undocumented BADCANDY implant. The activity involves exploitation of CVE-2023-20198, a critical flaw that lets a remote, unauthenticated attacker create an elevated account and seize control of susceptible systems, and ASD estimated that as many as 400 devices in Australia had been compromised since July 2025, including 150 in October. ASD also said variations of BADCANDY have been detected since October 2023, with fresh attacks continuing in 2024 and 2025, and advised operators to patch devices, limit public exposure of the web user interface, and review for unauthorized accounts and unknown tunnel interfaces.

    Show sources
    Open in new tab
  2. 31.10.2025 17:38 1 articles · 6mo ago

    Australian government warns of ongoing BadCandy infections on unpatched Cisco IOS XE routers

    Initial Disclosure

    The Australian Signals Directorate is notifying victims after detecting ongoing exploitation of CVE-2023-20198 against unpatched Cisco IOS XE devices in Australia, where the Lua-based BadCandy webshell can let remote unauthenticated attackers create a local admin user through the web interface, gain root command execution, and re-introduce the implant after reboot if the web interface remains exposed. The agency says over 400 devices were potentially compromised since July 2025 and more than 150 were still compromised as at late October 2025, with internet service providers asked to contact victims whose owners cannot be identified and administrators directed to patch and harden affected devices.

    Show sources
    Open in new tab