Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Cisco IOS XE BADCANDY exploitation wave (CVE-2023-20198)

Exploitation Wave
First reported
Last updated
Happening score
H score 62
1 unique sources, 1 articles

Summary

Hide ▲

A sustained BADCANDY exploitation wave is targeting unpatched Cisco IOS XE devices in Australia, with repeated compromise linked to CVE-2023-20198. ASD estimated up to 400 devices have been affected since July 2025, including 150 in October. The activity has persisted since October 2023 and continued through 2024 and 2025. Exposed systems remain at risk of reinfection when they stay reachable and unpatched.

Cases

BadCandy exploitation of Cisco IOS XE routers in Australia (3)

Related Happenings

MetInfo CMS unauthenticated PHP code injection actively exploited remote code execution flaw (CVE-2026-29014)

Vulnerability
First: 05.05.2026 14:56 Last: 05.05.2026 14:56 Sources 1

About this happening: **CVE-2026-29014** in **MetInfo CMS** is **actively exploited**, putting **versions 7.9, 8.0, and 8.1** at risk of **remote code execution** and full server takeover. **MetInfo**...

Open Happening

D-Link DIR-823X command-injection RCE (CVE-2025-29635)

Vulnerability
First: 22.04.2026 23:04 Last: 22.04.2026 23:04 Sources 1

About this happening: **CVE-2025-29635** is now being **actively exploited** on **D-Link DIR-823X routers**, turning a command-injection flaw into **remote command execution** and **botnet enrollment**...

Open Happening

Cisco Catalyst SD-WAN Manager information disclosure vulnerability (CVE-2026-20133)

Vulnerability
First: 21.04.2026 15:30 Last: 21.04.2026 15:30 Sources 1

About this happening: CISA moved **CVE-2026-20133** in **Cisco Catalyst SD-WAN Manager** into its **KEV Catalog**, signaling **active exploitation** against **unpatched devices** and forcing **FCEB age...

Open Happening

Cisco Catalyst SD-WAN active exploitation wave

Exploitation Wave
First: 05.03.2026 14:15 Last: 05.03.2026 14:15 Sources 1

About this happening: **Cisco** confirmed **active exploitation** of **two recently patched Catalyst SD-WAN vulnerabilities**, creating immediate risk for exposed systems that have not been fully remed...

Open Happening

Cisco Catalyst SD-WAN Manager actively exploited flaws (multiple vulnerabilities)

Vulnerability
First: 05.03.2026 12:32 Last: 05.03.2026 12:32 Sources 1

About this happening: **Cisco Catalyst SD-WAN Manager** has **actively exploited** flaws **CVE-2026-20122** and **CVE-2026-20128**, creating immediate risk for management-plane compromise across affect...

Open Happening

Timeline

  1. 01.11.2025 15:43 2 articles · 6mo ago

    ASD warns of ongoing BADCANDY attacks on unpatched Cisco IOS XE devices in Australia

    Initial Disclosure

    The Australian Signals Directorate warned that ongoing cyber attacks in Australia are targeting unpatched Cisco IOS XE devices with BADCANDY, a low-equity Lua-based web shell tied to exploitation of CVE-2023-20198. ASD said the vulnerability has been actively exploited since late 2023, variations of BADCANDY have been detected since October 2023, and as many as 400 devices in Australia may have been compromised since July 2025, including 150 in October. The agency urged operators to apply patches, limit public exposure of the web user interface, and review privileged accounts, unknown tunnel interfaces, and TACACS+ AAA command accounting logs.

    Show sources
    Open in new tab