What happens when the very backbone of an organization’s network becomes a gateway for cybercriminals to slip through undetected, leaving systems vulnerable to exploitation? In Australia and across the globe, a critical flaw in Cisco IOS XE software has left hundreds of devices exposed, with hackers deploying a stealthy Lua-based web shell called BADCANDY to seize control. This isn’t just a minor glitch—it’s a persistent threat that could unravel entire infrastructures, exposing sensitive data and disrupting operations on a massive scale.
This escalating crisis underscores a harsh reality: unpatched internet-facing devices are prime targets for both criminal hackers and state-sponsored groups. With over 400 compromised systems reported by the Australian Signals Directorate (ASD) since mid-2025, the urgency to address this vulnerability cannot be overstated. The exploitation of CVE-2023-20198, a flaw with a maximum CVSS score of 10.0, has turned routine network equipment into a battleground for espionage and crime, demanding immediate attention from organizations worldwide.
A Global Network at Risk
Cisco IOS XE, the operating system running countless enterprise routers and switches, is integral to modern connectivity. However, its critical vulnerability, CVE-2023-20198, has become a focal point for attackers seeking unauthorized access. This flaw allows remote, unauthenticated creation of high-privilege accounts, handing over root-level control without the need for credentials—a catastrophic breach for any network.
The scope of this issue extends far beyond isolated incidents. According to ASD, infections peaked at 350 devices in mid-2025, with numbers fluctuating as attackers re-exploit unpatched systems. Sectors like telecommunications, where a single breach can ripple across global networks, face heightened risks, amplifying the need for robust defenses against such pervasive threats.
How BADCANDY Slips Through the Cracks
At the heart of this crisis lies the BADCANDY web shell, a cunning implant designed to evade detection. Exploiting CVE-2023-20198, attackers target the web user interface of Cisco IOS XE, embedding this Lua-based shell within Nginx configuration files like cisco_service.conf. Through hidden URI paths, it enables command execution, giving hackers a backdoor to manipulate systems at will.
Though BADCANDY disappears upon reboot, its impact lingers. Attackers often secure persistence by harvesting credentials or altering configurations, making re-infection alarmingly simple. ASD data reveals a drop in infections to 138 by late 2025, yet spikes following notifications highlight how quickly cybercriminals return to exploit lingering vulnerabilities.
The sophistication of this attack is compounded by the actors behind it. Beyond opportunistic criminals, state-sponsored groups like China’s SALT TYPHOON have been linked to these exploits, using them for espionage in critical sectors. This blend of technical prowess and strategic intent makes the threat uniquely dangerous.
Voices from the Frontline
Experts are sounding the alarm on the stealth of this attack. An ASD spokesperson noted, “BADCANDY’s minimal footprint means it often goes unnoticed without meticulous configuration audits.” Their proactive notifications have slashed infection rates by over 60% since mid-2025, yet the persistent re-emergence of attacks reveals the relentless nature of adversaries.
Cisco’s own advisory emphasizes the gravity of immediate action, providing detailed indicators of compromise to assist in detection. Real-world impacts are starkly evident in cases like SALT TYPHOON’s infiltration of telecom networks, where such exploits have facilitated broader surveillance operations. These incidents transform technical vulnerabilities into tools of geopolitical significance.
The challenge of staying ahead is palpable. As one network administrator shared anonymously, “Even after patching, the fear of hidden backdoors keeps us up at night. It’s a constant game of catch-up.” This sentiment reflects the broader struggle faced by organizations racing to secure their systems against an ever-evolving threat landscape.
The Real-World Fallout
The consequences of failing to address this vulnerability are far-reaching. In sectors critical to national infrastructure, a compromised router isn’t just a technical failure—it’s a potential entry point for data theft, service disruptions, or worse. The targeting of telecom giants by groups like SALT TYPHOON illustrates how a single exploit can undermine trust and security on a global scale.
Beyond espionage, criminal actors exploit BADCANDY for financial gain, using compromised systems as launchpads for ransomware or other malicious campaigns. ASD’s tracking shows recurring spikes in infections, often tied to unpatched devices left exposed after initial cleanups, proving that temporary fixes fall short against determined attackers.
This ongoing battle highlights a critical gap in cybersecurity readiness. Many organizations underestimate the importance of edge devices, leaving them as weak links in otherwise fortified networks. The ripple effects of such oversights can devastate operations, erode customer confidence, and invite regulatory scrutiny.
Fortifying the Digital Frontier
Safeguarding networks against BADCANDY demands a comprehensive strategy. Patching CVE-2023-20198 must be the first step—Cisco’s fix has been available for months, and delays only widen the window of exposure. Rebooting devices clears the web shell temporarily, but follow-up audits for unauthorized accounts or suspicious tunnel interfaces are essential.
Hardening configurations offers another layer of defense. Disabling the HTTP server feature and restricting web UI access, as outlined in Cisco’s IOS XE guide, can significantly reduce risks. Monitoring TACACS+ logs for unusual activity and segmenting networks to limit lateral movement further bolster security against potential breaches.
Continuous vigilance is non-negotiable. Leveraging Cisco’s indicators of compromise to scan for BADCANDY remnants, coupled with alerts for configuration changes, ensures early detection of re-exploitation attempts. ASD’s ongoing guidance reinforces that a proactive stance, blending technical fixes with strategic planning, is the only way to shrink the attack surface.
Reflecting on a Relentless Battle
Looking back, the fight against BADCANDY exposed how even the most foundational technologies could become liabilities when left unguarded. The surge of infections throughout 2025 served as a stark reminder of the sophistication and persistence of modern cyber threats. Organizations that acted swiftly to patch and monitor their systems often evaded the worst outcomes, while others paid a steep price for complacency.
Moving forward, the lesson is clear: cybersecurity is an ongoing commitment, not a one-time fix. Prioritizing regular updates, investing in deep configuration reviews, and fostering a culture of readiness are essential steps to prevent history from repeating itself. As threats evolve, staying one step ahead through collaboration with industry experts and adherence to best practices emerges as the path toward lasting resilience.