BADCANDY: The Lua Web Shell Threatening Unpatched Cisco Edge Devices

Published Date: November 4, 2025
Category: ShadowOpsIntel
Share:

The BADCANDY implant is a malicious Lua-based web shell actively deployed by cyber actors to compromise Cisco IOS XE devices. First observed in late 2023, BADCANDY continues to affect hundreds of systems globally into 2025. Although the implant is non-persistent, attackers have demonstrated the ability to re-exploit unpatched devices rapidly, often within days of removal.

Severity: High

Threat Details

  • Malware: BADCANDY is a low equity Lua-based web shell installed by cyber actors.
  • Target: Cisco IOS XE devices with the web user interface (UI) feature enabled and vulnerable to CVE-2023-20198.
  • Vulnerability (CVE-2023-20198): This critical flaw allows a remote, unauthenticated user to create a highly privileged account on the system, potentially taking control of the device. Actors like SALT TYPHOON have leveraged this vulnerability.
  • Persistence: The BADCANDY implant does not persist after a device reboot. However, actors may retain access if they’ve acquired account credentials or established other forms of persistence.
  • Actor Attribution: Both criminal and state-sponsored cyber actors are believed to be leveraging the BADCANDY implant.
  • Scale: Since July 2025, ASD assesses that over 400 devices were potentially compromised with BADCANDY in Australia. As of late October 2025, there were still over 150 devices compromised.

MITRE ATT&CK

TacticTechniqueID
Initial AccessExploit Public-Facing ApplicationT1190
ExecutionCommand and Scripting Interpreter: LuaT1059.011
Persistence, Privilege EscalationValid AccountsT1078
Credential AccessCredential DumpingT1003

Recommendations

  1. Immediately apply the patch for CVE-2023-20198 to prevent re-exploitation.
  2. Reboot the Device: As the BADCANDY implant is not persistent, rebooting the Cisco IOS XE device will remove the implant.
  3. Review and Remove Unexpected Accounts:
    • Examine the running configuration for any new or unexpected accounts, especially those with privilege 15 (highly privileged access).
    • Specifically review and remove accounts with suspicious names, such as “cisco_tac_admin”, “cisco_support”, “cisco_sys_manager”, or “cisco”, if they are not legitimate or unexpected.
  4. Check for Unknown Tunnel Interfaces: Review the running configuration for the presence of unknown tunnel interfaces (e.g., beginning with interface tunnel[number]).
  5. Turn off the HTTP/HTTPS server features on Cisco IOS XE if not required. Follow Cisco’s hardening guidance.
  6. Ensure that management interfaces (Web UI, SSH, SNMP) are not exposed to the internet. Apply ACLs to limit access.

Source:

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.