The Australian cyber agency has issued a critical warning that over 150 network devices remain compromised with the BadCandy implant across the country, more than two years after patches were made available. This highlights the persistent danger posed by the severe Cisco IOS XE web UI vulnerability, CVE-2023-20198.
BadCandy is a Lua based webshell deployed on vulnerable Cisco routers and switches. The attack chain exploits the critical CVE-2023-20198 (CVSS 10.0) to allow an unauthenticated remote attacker to create persistent, highly privileged administrative accounts. Though the
web shell implant itself is non persistent and removed by a simple reboot, the privileged accounts created during the initial breach remain active, guaranteeing continued access for threat actors.
Both criminal and state sponsored cyber actors are exploiting this flaw. They target these network edge devices for strategic purposes, including strategic intelligence collection, setting up proxy networks, and positioning for future disruptive attacks.
The continued compromise reveals systemic failures in vulnerability management. The Australian Signals Directorate (ASD) explicitly warns of the re-exploitation problem, noting that devices are instantly re-compromised if patches are not applied, even after an implant is removed.
Organizations must take immediate steps to remediate: apply patches for both CVE-2023-20198 and CVE-2023-20273; reboot affected devices to remove the implant; review and remove all unauthorized accounts with privilege level 15; and harden the device by disabling the HTTP server feature or strictly restricting web UI access from the internet.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
