Cybercriminals and state-sponsored actors are ramping up their attacks on unpatched Cisco IOS XE devices, utilizing a Lua-based web shell known as BADCANDY to maintain unauthorized access. This implant has been actively exploited since October 2023 and poses a significant threat as it targets devices exposed to the internet. The Australian Signals Directorate (ASD) has noted that over 400 devices were potentially compromised since July 2025, and despite attempts to mitigate the risk, more than 150 infections remained as of late October.
The CVE-2023-20198 flaw, rated at an alarming 10.0 on the CVSS scale, allows attackers to create unauthorized high-privileged accounts on Cisco routers and switches. Cisco addressed this vulnerability in a patch released in October 2023, but public exploits quickly followed, leading to widespread abuse. As a countermeasure, the ASD has issued notifications and guidelines for organizations to address the exploit and mitigate risks, emphasizing the importance of patching and maintaining robust security practices.
To combat the ongoing threat, organizations are urged to perform thorough configuration reviews, check for unauthorized entries, and re-evaluate device security postures. The need for proactive measures is crucial to prevent further exploitation by both criminal actors and state-sponsored groups, as the complexity and stealth of BADCANDY make detection challenging without comprehensive assessments.
👉 Pročitaj original: Cyber Security News
