Australia Warns of BadCandy Infections on Unpatched Cisco Devices
Australia’s cybersecurity landscape was jolted by the discovery of the BadCandy webshell, a stealthy backdoor targeting unpatched Cisco devices. Exploiting the critical CVE-2023-20198 vulnerability, BadCandy enables attackers to seize administrative control over network hardware, often without leaving a trace. Despite Cisco’s patch release in October 2023, hundreds of devices across Australia remained exposed, with over 150 still compromised as of late October 2025. The Australian Signals Directorate (ASD) has been racing to notify affected organizations and coordinate with ISPs to stem the tide of infections. The threat isn’t confined to Australia—state-backed actors, including the Chinese group “Salt Typhoon,” have leveraged the same flaw to breach major telecom providers in the US and Canada, underscoring the global stakes of timely patching and vigilant network defense (BleepingComputer).
The BadCandy Webshell: A Sneaky Threat to Network Security
Exploitation of Cisco Devices
The BadCandy webshell represents a significant threat to network security, particularly targeting unpatched Cisco devices. The vulnerability exploited by BadCandy is identified as CVE-2023-20198, a critical flaw that allows remote unauthenticated attackers to gain administrative access to devices via the web user interface. This flaw was addressed by Cisco in October 2023, yet many devices remain unpatched, leaving them vulnerable to exploitation (BleepingComputer). The persistent nature of this threat is underscored by the fact that attackers can easily reintroduce the webshell even after it has been removed, as long as the devices remain unpatched and exposed to the internet.
Mechanism of Action
The BadCandy webshell operates by planting a backdoor on compromised devices, allowing attackers to execute commands with root privileges. This level of access enables malicious actors to manipulate device configurations, intercept data, and potentially use the compromised devices as a springboard for further attacks. Once installed, the webshell is wiped from the devices upon reboot. However, the lack of a patch and the continued accessibility of the web interface mean that attackers can quickly reinstate the webshell, maintaining a persistent threat (BleepingComputer).
Impact on Australian Network Security
The impact of BadCandy on Australian network security is profound. Since July 2025, the Australian Signals Directorate (ASD) has assessed that over 400 devices were potentially compromised with BadCandy, with more than 150 devices still compromised as of late October 2025 (BleepingComputer). This ongoing threat highlights the critical need for organizations to prioritize patching and securing their network devices to prevent exploitation.
Response and Mitigation Strategies
In response to the ongoing threat posed by BadCandy, the Australian Signals Directorate has been proactive in notifying victims and providing guidance on patching and hardening their devices. This includes instructions on conducting incident response to mitigate the impact of the webshell. For devices whose owners cannot be determined, the ASD has enlisted the help of internet service providers to contact victims on their behalf (BleepingComputer). These efforts are crucial in reducing the number of compromised devices and preventing further exploitation.
International Implications
The BadCandy webshell is not only a concern for Australia but has international implications as well. The flaw exploited by BadCandy has been leveraged by state actors, such as the Chinese group known as “Salt Typhoon,” in attacks against large telecommunication service providers across the United States and Canada (BleepingComputer). This underscores the global nature of the threat and the importance of international cooperation in addressing cybersecurity vulnerabilities.
Recommendations for Network Administrators
Network administrators are advised to take immediate action to protect their devices from BadCandy infections. This includes applying the necessary patches to close the CVE-2023-20198 vulnerability and implementing robust security measures to prevent unauthorized access. Regular monitoring of network traffic and device logs can help detect signs of compromise, allowing for timely intervention. Additionally, organizations should consider conducting regular security assessments to identify and address potential vulnerabilities in their network infrastructure.
Future Outlook
The persistence of the BadCandy threat highlights the evolving nature of cybersecurity challenges. As attackers continue to develop new techniques and exploit vulnerabilities, organizations must remain vigilant and proactive in their security efforts. This includes staying informed about the latest threats and vulnerabilities, investing in security technologies, and fostering a culture of cybersecurity awareness among employees. By taking these steps, organizations can better protect themselves against the ever-present threat of cyberattacks.
Final Thoughts
BadCandy’s persistence is a stark reminder that even a single unpatched device can open the door to widespread compromise. The rapid reinfection cycle—where attackers can reinstall the webshell after every reboot—demonstrates how critical it is for organizations to stay ahead of threat actors by patching vulnerabilities and hardening network defenses. The ASD’s proactive outreach and collaboration with ISPs set a strong example for incident response, but the international reach of BadCandy highlights the need for global cooperation and information sharing. As attackers continue to innovate, organizations must foster a culture of cybersecurity awareness, invest in robust monitoring, and keep pace with emerging threats to protect their digital frontiers (BleepingComputer).
References
- Cimpanu, C. (2025, October 31). Australia warns of ‘BadCandy’ infections on unpatched Cisco devices. BleepingComputer. https://www.bleepingcomputer.com/news/security/australia-warns-of-badcandy-infections-on-unpatched-cisco-devices/