A critical alert from the Australian Signals Directorate (ASD) warns of a continuing wave of cyberattacks exploiting a known vulnerability in Cisco IOS XE devices. The vulnerability, tracked as CVE-2023-20198, enables unauthorized installation of a malicious webshell dubbed “BadCandy,” granting cyber actors full administrative control over targeted devices. The warning underscores growing concerns around delayed patching of networking infrastructure.
Cisco IOS XE Vulnerability Offers Administrative Access to Threat Actors
Attackers Are Exploiting a High-Severity Flaw in Widely Deployed Devices
CVE-2023-20198 is a high-severity vulnerability in the web user interface of Cisco IOS XE, commonly used in enterprise routers and switches. Exploitation of this flaw enables unauthenticated remote attackers to gain administrative privileges on affected devices. Cisco’s own advisory rated the issue a 10.0 on the Common Vulnerability Scoring System (CVSS), the highest possible severity level.
The BadCandy Webshell Grants Persistent Control
ASD reports that attackers exploiting this vulnerability are deploying a malicious implant identified as the “BadCandy” webshell. Once installed, BadCandy provides persistent remote access, allowing adversaries to execute arbitrary commands with privileged access. This effectively compromises the network device as an attacker-controlled foothold for lateral movement and internal reconnaissance.
“Cyber actors are installing an implant dubbed ‘BADCANDY’ on Cisco IOS XE devices that are vulnerable to CVE-2023-20198,” the ASD stated in its advisory.
The actor-controlled webshell is not only persistent across reboots but also difficult to detect using standard administrative interfaces. Its deployment aligns with trends seen in advanced persistent threat (APT) campaigns targeting network infrastructure.
Widespread Targeting of Unpatched Cisco IOS XE Systems
Australian Agencies Are Observing Active Exploitation at Scale
The ASD reports observing continued exploitation of unpatched devices within Australia and abroad. Organizations that fail to apply the Cisco-provided security updates remain vulnerable, even weeks after the initial vulnerability disclosure. These unpatched systems present a critical risk as they serve as gateways into larger organizational networks.
Patch Management is Lagging Behind Active Exploits
Despite Cisco releasing necessary patches to remediate CVE-2023-20198, many network operators have yet to apply the fixes. This delay in patching has created a global window of opportunity for threat actors exploiting the BadCandy webshell.
Security professionals are advised to:
- Immediately update all Cisco IOS XE devices to the latest firmware versions
- Audit access logs and configurations for indications of compromise
- Remove any unauthorized users or unknown configuration changes
- Monitor for network anomalies originating from affected infrastructure
The ASD also recommends disabling the HTTP Server feature on Cisco IOS XE if it is not actively needed, as this minimizes exposure to potential exploitation vectors.
The Broader Implications for Enterprise Network Security
BadCandy Serves as a Reminder of Infrastructure-Level Attack Risks
The use of BadCandy highlights a broader trend: attackers increasingly targeting underlying network infrastructure that often evades traditional endpoint detection solutions. Since devices like routers and switches are not monitored with the same scrutiny as endpoints or servers, they can remain compromised for extended periods.
Exploits Like These Could Enable Long-Term Espionage
Once an attacker establishes a foothold through CVE-2023-20198, they can use BadCandy to launch attacks deeper into internal networks, exfiltrate sensitive data, or establish persistent control mechanisms. This presents risks not only to the immediate organization but to interconnected third parties and supply chains.
As a result, organizations must reassess how they monitor and secure embedded network appliances. Incorporating network-specific threat detection tools and ensuring timely patch management are crucial steps in reducing the attack surface.
A Critical Call to Secure Core Network Devices
The active exploitation of CVE-2023-20198 in Cisco IOS XE devices should serve as a high-priority concern for organizations worldwide. The Australian Signals Directorate’s warning adds weight to ongoing calls for immediate patching and improved operational security around core infrastructure components.
The BadCandy webshell provides a persistent and hard-to-detect avenue for attackers, reminding defenders that incomplete patching of networking gear presents an unacceptable level of risk. In an era where adversaries are increasingly infrastructure-aware, enterprise resilience depends on ensuring both timely updates and robust network visibility.
