Cisco IOS XE Vulnerability Being Abused in the Wild to Plant BADCANDY

Cybersecurity authorities are raising urgent alarms as threat actors continue to exploit a critical vulnerability in Cisco IOS XE devices, deploying a malicious implant known as BADCANDY across networks worldwide.

The Australian Signals Directorate (ASD) has confirmed that over 150 devices remain compromised in Australia alone as of late October 2025, despite ongoing remediation efforts that began when the vulnerability was first weaponized in October 2023.

The BADCANDY implant represents a sophisticated yet accessible threat to organizations relying on Cisco IOS XE Software with web user interface capabilities.

This Lua-based web shell exploits CVE-2023-20198, a critical vulnerability that enables remote, unauthenticated attackers to create highly privileged accounts on vulnerable systems and establish complete control over affected devices.

What makes this campaign particularly concerning is the threat actors’ systematic approach to concealment—after initial compromise, attackers typically apply a non-persistent patch that masks the device’s vulnerability status ...