The BADCANDY implant is a malicious Lua-based web shell actively deployed by cyber actors to compromise Cisco IOS XE devices. First observed in late 2023, BADCANDY continues to affect hundreds of systems globally into 2025. Although the implant is non-persistent, attackers have demonstrated the ability to re-exploit unpatched devices rapidly, often within days of removal.
Severity: High
Threat Details
- Malware: BADCANDY is a low equity Lua-based web shell installed by cyber actors.
- Target: Cisco IOS XE devices with the web user interface (UI) feature enabled and vulnerable to CVE-2023-20198.
- Vulnerability (CVE-2023-20198): This critical flaw allows a remote, unauthenticated user to create a highly privileged account on the system, potentially taking control of the device. Actors like SALT TYPHOON have leveraged this vulnerability.
- Persistence: The BADCANDY implant does not persist after a device reboot. However, actors may retain access if they’ve acquired account credentials or established other forms of persistence.
- Actor Attribution: Both criminal and state-sponsored cyber actors are believed to be leveraging the BADCANDY implant.
- Scale: Since July 2025, ASD assesses that over 400 devices were potentially compromised with BADCANDY in Australia. As of late October 2025, there were still over 150 devices compromised.
MITRE ATT&CK
| Tactic | Technique | ID |
| Initial Access | Exploit Public-Facing Application | T1190 |
| Execution | Command and Scripting Interpreter: Lua | T1059.011 |
| Persistence, Privilege Escalation | Valid Accounts | T1078 |
| Credential Access | Credential Dumping | T1003 |
Recommendations
- Immediately apply the patch for CVE-2023-20198 to prevent re-exploitation.
- Reboot the Device: As the BADCANDY implant is not persistent, rebooting the Cisco IOS XE device will remove the implant.
- Review and Remove Unexpected Accounts:
- Examine the running configuration for any new or unexpected accounts, especially those with privilege 15 (highly privileged access).
- Specifically review and remove accounts with suspicious names, such as “cisco_tac_admin”, “cisco_support”, “cisco_sys_manager”, or “cisco”, if they are not legitimate or unexpected.
- Check for Unknown Tunnel Interfaces: Review the running configuration for the presence of unknown tunnel interfaces (e.g., beginning with interface tunnel[number]).
- Turn off the HTTP/HTTPS server features on Cisco IOS XE if not required. Follow Cisco’s hardening guidance.
- Ensure that management interfaces (Web UI, SSH, SNMP) are not exposed to the internet. Apply ACLs to limit access.
Source:
Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn
No related posts found.