For over two years, a digital hydra has been quietly plaguing Australian networks, specifically targeting Cisco IOS XE devices. This isn’t a new threat, but a persistent, evolving nightmare known as the BADCANDY web shell.
Despite extensive efforts to eradicate it, Australia’s Signals Directorate (ASD) confirms that over 150 devices across the nation remain compromised, a stark reminder that some cyber battles are won not with a single blow, but with relentless vigilance against a cunning adversary. The BADCANDY web shell represents a sophisticated, Lua-based implant designed to provide threat actors with remote access and control over compromised network infrastructure, making it a critical concern for organizations running vulnerable Cisco IOS XE Software with the web user interface feature enabled.
This ongoing campaign leverages a critical flaw, CVE-2023-20198, a privilege escalation vulnerability in Cisco IOS XE Software’s web UI feature that boasts a perfect CVSS score of 10.0. This maximum severity score indicates that the vulnerability is easily exploitable and carries a devastating impact.
For threat actors, it’s a golden ticket: unauthenticated remote access to create highly privileged accounts, effectively handing over the keys to critical network infrastructure. Once exploited, attackers gain complete administrative control (privilege 15) over affected devices. This level of access allows them to not only manage the compromised device but also to pivot deeper into enterprise networks, intercept sensitive communications flowing through these critical components, or use the device as a staging ground for further attacks.
The vulnerability has gained notoriety within the cybersecurity community, earning a place among the top routinely exploited vulnerabilities of recent years, with advanced persistent threat (APT) groups actively incorporating it into their operational playbooks.
The BADCANDY implant itself is characterized by security researchers as a “low-equity” implant, meaning it requires relatively minimal technical sophistication to deploy once initial access is gained through vulnerabilities like CVE-2023-20198. While the web shell is effective, what makes this threat particularly concerning is the attackers’ methodology following compromise. Cyber actors have been observed applying non-persistent patches to vulnerable devices post-exploitation.
This deceptive tactic effectively masks the device’s underlying vulnerability status, making detection significantly more challenging for network administrators who might otherwise identify the unpatched flaw. Furthermore, while the BADCANDY implant itself does not persist following a device reboot, the threat extends far beyond simple malware removal.
Sophisticated threat actors frequently exfiltrate account credentials or establish alternative persistence mechanisms during their initial compromise. This allows them to maintain network access even after the BADCANDY implant is removed through a reboot or other basic remediation efforts. This reality has created a dangerous cycle of re-exploitation, as unpatched devices with exposed web interfaces remain vulnerable to repeated attacks.
ASD intelligence indicates active deployment of BADCANDY since October 2023, with renewed exploitation activity observed throughout 2024 and continuing into 2025. Security telemetry from Australia demonstrates the scale of this ongoing threat, with ASD assessing that over 400 devices were potentially compromised with BADCANDY since July 2025 alone. While victim notification campaigns have achieved some success in reducing initial infections, the number of compromised devices has stabilized around 150 as of late October 2025, indicating continuous scanning and re-exploitation of unpatched systems.
Intelligence assessments from ASD indicate that both criminal and state-sponsored cyber actors are leveraging the BADCANDY implant for various objectives. The relatively low technical barrier to deploying this web shell, once the initial vulnerability is exploited, has made it attractive to a diverse range of threat actors. This includes financially motivated cybercriminals seeking to gain unauthorized access for data exfiltration or ransomware deployment, as well as sophisticated espionage groups conducting long-term intelligence collection operations.
ASD has specifically identified SALT TYPHOON, a known APT group, as one actor leveraging this attack vector for global espionage operations, highlighting the severe national security implications of such compromises
