Cisco Router Crisis: Australian Gov Warns Hackers Reinfecting Systems with BadCandy Web Shell

The Australian government has issued a warning about active cyberattacks targeting unprotected Cisco IOS XE devices used across corporate and government networks. According to the Australian Signals Directorate (ASD), attackers continue to infect routers with the BadCandy web shell, which grants them superuser-level command execution privileges.

The vulnerability exploited in these attacks is tracked as CVE-2023-20198—a critical flaw that allows remote, unauthenticated users to create local administrator accounts via the web interface and gain complete control over the device. Cisco addressed the issue in October 2023, releasing an official security advisory and corresponding patches.

However, only weeks after the fix was published, a public exploit surfaced online, triggering a wave of mass compromises. Researchers discovered that attackers were implanting BadCandy, a malicious Lua-based web shell, onto routers, enabling them to execute arbitrary commands and deploy backdoors for persistent access.

According to ASD, the attacks have persisted throughout 2024 and 2025, with a significant number of systems remaining vulnerable. Since July 2025, the agency has identified more than 400 infected devices in Australia, and by late October, over 150 active compromises were still observed. Although the overall number of incidents has declined, threat actors continue to reinfect the same routers repeatedly.

While the malware is removed upon rebooting the device, it can be easily reinstalled if the web interface remains exposed to the internet. ASD’s analysts have observed that hackers closely monitor when BadCandy is deleted and swiftly return to reestablish control over the same targets.

To mitigate these risks, the agency has been sending notifications to affected owners, providing firmware update instructions, security hardening guidelines, and forensic investigation procedures. In cases where the owner cannot be identified, ASD coordinates with internet service providers to reach out to impacted customers.

Notably, CVE-2023-20198 was also exploited in previous espionage campaigns attributed to the Chinese threat group Salt Typhoon, which had targeted telecommunications companies in the United States and Canada.

Cisco strongly urges all IOS XE administrators to immediately apply the latest patches and follow the company’s official security recommendations to protect their network infrastructure.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy