The Australian Signals Directorate (ASD) has previously identified an undocumented ‘ bad candy.
According to the intelligence community, this activity included the exploitation of CVE-2023-20198 (CVSS score: 10.0), a critical vulnerability that allows a remote, unauthenticated attacker to create an account with elevated privileges and use it to seize control of a susceptible system.
This security flaw has been actively exploited since last year in 2023, and China-linked threat actors such as Salt Typhoon have weaponized it to infiltrate telecommunications providers in recent months.
ASD noted that BADCANDY variants have been detected since October 2023, and new attacks continue to be recorded in 2024 and 2025. It is estimated that up to 400 devices in Australia have been compromised by the malware since July 2025, with 150 devices infected in October alone.
“BADCANDY is a low-capital Lua-based web shell that cyber attackers typically apply non-persistent patches to after a breach to hide the vulnerability status of devices related to CVE-2023-20198,” the paper said. “In these examples, the presence of the BADCANDY implant indicates compromise of Cisco IOS XE devices with CVE-2023-20198.”
The lack of a persistence mechanism means that it cannot survive a system reboot. However, if a device is left unpatched and exposed to the internet, threat actors can reintroduce malware and regain access to the device.
ASD has assessed that threat actors can detect when the implant is removed and the device becomes reinfected. This is based on the fact that the re-exploitation occurred on a device for which authorities had previously issued a notice to affected organizations.
That being said, a reboot will not undo any other actions taken by the attacker. Therefore, it is important that system operators apply patches, limit exposure of the web user interface, and follow any necessary hardening guidelines issued by Cisco to prevent future exploitation attempts.
Some of the other measures outlined by the agency are listed below.
- Check the run settings for accounts with permission 15 and remove unexpected or unauthorized accounts
- Check for accounts containing random strings or “cisco_tac_admin,” “cisco_support,” “cisco_sys_manager,” or “cisco” and remove them if they are not legitimate.
- Check the running configuration of the unknown tunnel interface.
- Check TACACS+ AAA command accounting logging for configuration changes (if enabled)
