Australia Warns: BadCandy Infects Unpatched Cisco IOS XE Devices in 2024
Executive Summary
In June 2024, Australian cybersecurity authorities issued urgent warnings regarding ongoing cyberattacks targeting unpatched Cisco IOS XE devices across the country. Threat actors exploited known vulnerabilities to install the BadCandy webshell, enabling persistent, covert access to network infrastructure. Once a device was compromised, attackers leveraged the foothold for lateral movement, unauthorized surveillance, and potentially for command-and-control activities, putting government entities, businesses, and ISPs at risk. The infections are widespread and ongoing due to delayed patching and lack of robust segmentation.
This incident highlights an increasing trend of sophisticated exploitation of edge network devices, demonstrating attackers’ focus on device-level vulnerabilities and lateral movement methods. The urgency is heightened by the scale and automation of attacks and the continued use of vulnerable systems.
Why This Matters Now
A surge in BadCandy infections demonstrates that critical infrastructure is at heightened risk when network devices remain unpatched. With attackers automating exploitation, organizations must accelerate patch cycles and strengthen segmentation controls to counter these evolving tactics and prevent widespread disruption.
Attack Path Analysis
Attackers exploited unpatched vulnerabilities (CVE-2023-20198) on Cisco IOS XE devices to gain initial access by deploying the BadCandy webshell. They leveraged this access to escalate privileges within the device OS, obtaining control over device configuration. Attackers then attempted lateral movement to other network segments or devices, potentially targeting adjacent infrastructure. With persistent access, they established command and control by using encrypted or covert communication channels via the webshell. Adversaries could then exfiltrate device configs or sensitive data, and finally, enact destructive or persistent impact, such as maintaining backdoors, redirecting traffic, or causing service disruption.
Kill Chain Progression
Initial Compromise
Description
Attackers scanned for and exploited internet-facing, unpatched Cisco routers with a known vulnerability, deploying the BadCandy webshell to gain unauthorized access.
Related CVEs
CVE-2023-20198
CVSS 10A vulnerability in the web UI feature of Cisco IOS XE Software allows a remote, unauthenticated attacker to create an account with privilege level 15 access, leading to full control of the affected system.
Affected Products:
Cisco IOS XE Software – prior to patch availability
Exploit Status:
exploited in the wildCVE-2023-20273
CVSS 7.2A command injection vulnerability in the web UI feature of Cisco IOS XE Software allows an authenticated, remote attacker to execute arbitrary commands on the underlying operating system with root privileges.
Affected Products:
Cisco IOS XE Software – prior to patch availability
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Web Shell
Command and Scripting Interpreter
Valid Accounts
Data Obfuscation
Network Service Scanning
Application Layer Protocol
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Public-Facing Applications Protection
Control ID: 6.2.4
NYDFS 23 NYCRR 500 – Penetration Testing and Vulnerability Assessments
Control ID: 500.05
DORA – ICT Risk Management Framework
Control ID: Article 10(1)
CISA Zero Trust Maturity Model 2.0 – Automated Vulnerability and Patch Management
Control ID: Device Pillar – Asset Patch Management
NIS2 Directive – Security of Network and Information Systems
Control ID: Article 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Telecommunications
Critical network infrastructure compromise via BadCandy webshell on Cisco devices threatens service continuity and customer data security across telecommunications providers.
Financial Services
Unpatched Cisco IOS XE devices enable lateral movement and data exfiltration, violating PCI compliance and exposing sensitive financial transaction networks.
Government Administration
Australian government warning highlights ongoing cyberattacks targeting critical infrastructure, requiring immediate zero trust segmentation and threat detection implementation.
Health Care / Life Sciences
Network infrastructure compromise threatens HIPAA compliance and patient data security through encrypted traffic interception and east-west lateral movement attacks.
Sources
- Australia warns of BadCandy infections on unpatched Cisco deviceshttps://www.bleepingcomputer.com/news/security/australia-warns-of-badcandy-infections-on-unpatched-cisco-devices/Verified
- Cisco IOS XE Software Web UI Command Injection Vulnerabilityhttps://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-webui-cmdij-FzZAeXAy.htmlVerified
- Active exploitation of Cisco IOS XE Software Web Management User Interface vulnerabilitieshttps://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/Verified
- Australian Government Warns of Ongoing Attacks Targeting Unpatched Cisco IOS XE Devices, Risk of 'BadCandy' Webshell Infectionhttps://www.thaicert.or.th/en/2025/11/04/australian-government-warns-of-ongoing-attacks-targeting-unpatched-cisco-ios-xe-devices-risk-of-badcandy-webshell-infection/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, east-west traffic controls, inline IPS, egress policy enforcement, and deep anomaly detection would meaningfully constrain or rapidly detect adversary activities in each kill chain phase, preventing lateral spread, data exfiltration, and persistent C2. Applying these controls to network infrastructure and workloads reduces the attack surface and limits attacker freedom even in the event of initial compromise.
Control: Cloud Firewall (ACF)
Mitigation: Prevents direct exploitation of unpatched routers by restricting external access.
Control: Threat Detection & Anomaly Response
Mitigation: Alerts on suspicious privilege escalation or shell activity.
Control: Zero Trust Segmentation
Mitigation: Blocks unauthorized east-west communication between network segments.
Control: Inline IPS (Suricata)
Mitigation: Detects and blocks known C2 patterns or suspicious outbound traffic.
Control: Egress Security & Policy Enforcement
Mitigation: Prevents unauthorized outbound transfers to attacker infrastructure.
Rapid detection and correlation of impacts across the environment supports swift response.
Impact at a Glance
Affected Business Functions
- Network Operations
- Data Transmission
- Remote Access Services
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of sensitive configuration data and network credentials, leading to unauthorized access and data exfiltration.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce strict cloud firewall policies to minimize exposure of management interfaces on network devices.
- • Deploy east-west segmentation controls to restrict attacker movement post-compromise.
- • Enable inline IPS and network anomaly detection to surface exploitation and privilege misuse attempts.
- • Apply egress filtering policies that block unauthorized outbound connections and data transfer.
- • Centralize multicloud visibility for rapid incident detection, correlation, and response across all network assets.
