Ethical Hacking News
Australia has issued a warning to citizens about BadCandy infections on unpatched Cisco IOS XE devices, which could allow remote attackers to gain access to administrative accounts and execute commands with root privileges. As of October 31st, over 150 devices remain infected in Australia, despite declining new infections.
Australian government warns citizens about a severe vulnerability in unpatched Cisco IOS XE devices due to CVE-2023-20198. The BadCandy webshell is used by attackers to gain access to local administrative accounts and plant backdoors on infected devices. Over 150 Australian devices remain infected with BadCandy, despite a decline in new infections. Australian authorities suspect state-sponsored cyber-actors are behind the attacks. The government urges device administrators to patch their devices immediately and provides guidance on mitigation recommendations.
The Australian government has issued a stark warning to citizens, advising them of an ongoing threat to their unpatched Cisco IOS XE devices. The vulnerability in question is CVE-2023-20198, a severe flaw that allows remote, unauthenticated attackers to gain access to local administrative accounts on vulnerable devices. This has led to widespread exploitation, with attackers planting backdoors on internet-exposed devices.
The BadCandy webshell, which has been used in these attacks, is a Lua-based script that allows attackers to execute commands with root privileges on compromised devices. While the webshell is wiped from devices upon reboot, it can be easily re-introduced if the device's web interface remains accessible and no patch is applied.
As of late October 2025, Australian authorities have confirmed over 150 devices remain infected with BadCandy, despite a decline in new infections. The Australian Signals Directorate (ASD) has been tracking this threat since July 2025, when they assessed that over 400 devices were potentially compromised.
The attackers are believed to be state-sponsored cyber-actors, who have previously leveraged the same vulnerability to launch attacks on large telecommunication service providers across the U.S. and Canada. The ASD suspects that these actors will continue to target vulnerable Cisco devices worldwide, using variants of the BadCandy webshell.
In response to this ongoing threat, the Australian government has issued guidance to device administrators, urging them to patch their devices immediately. Cisco has also published a detailed hardening guide for IOS XE devices, providing recommendations for mitigating the vulnerability.
The ASD is working closely with internet service providers (ISPs) and other stakeholders to identify affected devices and provide support to those whose owners cannot be determined. For device administrators, the agency recommends following the vendor's mitigation recommendations in the security bulletin.
This incident highlights the ongoing threat of cyber-attacks against unpatched devices. As the Australian government reminds us, timely patching is essential for protecting critical infrastructure and preventing devastating data breaches.
Related Information:
https://www.ethicalhackingnews.com/articles/Australia-on-High-Alert-BadCandy-Infections-Threaten-Cisco-Devices-Across-the-Globe-ehn.shtml
https://www.bleepingcomputer.com/news/security/australia-warns-of-badcandy-infections-on-unpatched-cisco-devices/
https://nvd.nist.gov/vuln/detail/CVE-2023-20198
https://www.cvedetails.com/cve/CVE-2023-20198/
Published: Fri Oct 31 12:26:18 2025 by llama3.2 3B Q4_K_M
