Nov 01, 2025Ravie LakshmananArtificial Intelligence / Vulnerability
The Australian Alerts Directorate (ASD) has issued a bulletin about ongoing cyber assaults focusing on unpatched Cisco IOS XE units within the nation with a beforehand undocumented implant often known as BADCANDY.
The exercise, per the intelligence company, includes the exploitation of CVE-2023-20198 (CVSS rating: 10.0), a important vulnerability that enables a distant, unauthenticated attacker to create an account with elevated privileges and use it to grab management of inclined methods.
The safety defect has come underneath energetic exploitation within the wild since final 2023, with China-linked menace actors like Salt Storm weaponizing it in latest months to breach telecommunications suppliers.
ASD famous that variations of BADCANDY have been detected since October 2023, with a recent set of assaults persevering with to be recorded in 2024 and 2025. As many as 400 units in Australia are estimated to have been compromised with the malware since July 2025, out of which 150 units have been contaminated in October alone.
“BADCANDY is a low fairness Lua-based net shell, and cyber actors have usually utilized a non-persistent patch post-compromise to masks the gadget’s vulnerability standing in relation to CVE-2023-20198,” it stated. “In these cases, the presence of the BADCANDY implant signifies compromise of the Cisco IOS XE gadget, by way of CVE-2023-20198.”
The shortage of a persistence mechanism means it can not survive throughout system reboots. Nevertheless, if the gadget stays unpatched and uncovered to the web, it is attainable for the menace actor to re-introduce the malware and regain entry to it.
ASD has assessed that the menace actors are in a position to detect when the implant is eliminated and are infecting the units once more. That is primarily based on the truth that re-exploitation has occurred on units for which the company has beforehand issued notifications to affected entities.
That having stated, a reboot is not going to undo different actions undertaken by the attackers. It is due to this fact important that system operators apply the patches, restrict public publicity of the net consumer interface, and comply with obligatory hardening pointers issued by Cisco to forestall future exploitation makes an attempt.
A number of the different actions outlined by the company are listed beneath –
Evaluate the working configuration for accounts with privilege 15 and take away sudden or unapproved accounts
Evaluate accounts with random strings or “cisco_tac_admin,” “cisco_support,” “cisco_sys_manager,” or “cisco” and take away them if not professional
Evaluate the working configuration for unknown tunnel interfaces
Evaluate TACACS+ AAA command accounting logging for configuration modifications, if enabled
