Listen to this Post

🎯 Introduction: The Web Shell That Refuses to Die
In an era where digital perimeters define the safety of nations and corporations alike, one small piece of malicious code—known as BADCANDY—has become the nightmare that refuses to fade. Despite years of mitigation efforts and continuous warnings from global cybersecurity authorities, this Lua-based web shell continues to haunt thousands of Cisco IOS XE devices across the world. As of late October 2025, Australia’s Signals Directorate (ASD) reports more than 150 devices still compromised, underscoring the grim truth: the cyber battlefield has shifted from data centers to the very edge of the network.
The Long Shadow of BADCANDY
The BADCANDY implant, a malicious web shell exploiting the notorious CVE-2023-20198, has evolved into one of the most persistent cyber threats targeting Cisco’s IOS XE Software. This particular vulnerability, carrying a perfect CVSS score of 10.0, enables remote attackers to create privileged accounts on vulnerable systems through the device’s web user interface. Once inside, hackers gain unrestricted access—allowing them to manipulate configurations, monitor communications, and pivot deeper into corporate or government networks.
What makes this campaign chilling isn’t only its technical precision but also its patience. The implant first appeared in October 2023, resurfacing repeatedly through 2024 and into 2025. ASD analysts have confirmed that attackers cleverly deploy non-persistent patches to disguise the vulnerability, making it appear as though the device is clean. In reality, these superficial fixes mask the ongoing compromise, allowing adversaries to return undetected.
Although BADCANDY disappears after a device reboot, its true danger lies elsewhere. Cybercriminals often steal admin credentials or set up alternative persistence channels during their initial breach, ensuring they can re-enter the network even after the implant is removed. This cat-and-mouse cycle has kept many organizations trapped in a recurring nightmare of infection, remediation, and re-exploitation.
CVE-2023-20198: A Hacker’s Gateway to Power
The exploited vulnerability—CVE-2023-20198—has become infamous in cybersecurity circles. It affects devices running Cisco IOS XE Software with the web UI enabled via the ip http server or ip http secure-server commands. By leveraging this flaw, attackers can create hidden admin accounts with full privileges, effectively seizing control of the router or switch.
Such a takeover enables the interception of sensitive traffic, installation of additional implants, and even lateral movement into other parts of a network. Intelligence sources link this exploit to SALT TYPHOON, a state-sponsored group known for espionage operations across multiple continents. With evidence of both criminal and government-linked actors using this same toolset, the BADCANDY campaign blurs the line between cybercrime and cyberwarfare.
By mid-2025, ASD telemetry showed more than 400 infected devices, though later cleanup efforts reduced that number to around 150. The stability of this figure, rather than a continuous decline, indicates ongoing scanning and re-exploitation by persistent threat actors. For every device disinfected, another is found vulnerable.
A Battle of Persistence and Deception
BADCANDY’s continued survival in networks across the world reveals a deeper truth: attackers are adapting faster than defenders. Evidence shows that threat actors can even detect when their implant has been removed. Within hours—or sometimes minutes—they re-exploit the same unpatched devices.
This persistence proves one lesson above all others: removing malware is not enough. Without applying the official Cisco patches and disabling unnecessary web interfaces, organizations remain exposed. Cisco has already released patched versions—17.9.4a, 17.6.6a, 17.3.8a, and 16.12.10a—and issued strict hardening guidelines urging network administrators to disable the HTTP server feature entirely unless absolutely necessary.
Administrators are also advised to monitor device configurations for suspicious privileged accounts like “cisco_tac_admin,” “cisco_sys_manager,” or “cisco_support,” and to remove unknown tunnel interfaces labeled “interface tunnel[number].”
The Broader Picture: Edge Devices Under Siege
This campaign underscores how edge infrastructure—the routers, gateways, and switches that form the skeleton of the internet—has become a prime target for hackers. These devices often sit outside traditional monitoring perimeters, making them ideal hiding spots for implants like BADCANDY.
ASD’s multi-year effort to alert victims reflects a sobering reality: even in advanced economies, patch management and security hygiene at the edge remain critically underdeveloped. The problem isn’t just technical; it’s operational. Many organizations either overlook firmware updates or lack visibility into their edge assets entirely.
The situation has become so severe that ASD has begun issuing victim notifications through internet service providers, bypassing system operators who cannot be directly identified. Despite this, infections continue, proving that cyber defense must evolve from reactive cleanup to proactive resilience.
What Undercode Say:
The BADCANDY saga represents more than a technical exploit—it’s a lesson in strategic cyber warfare. From an analytical standpoint, this campaign exposes three key failures in modern cybersecurity strategy: patch latency, overreliance on reboots, and underestimation of persistence.
First, the delay in patch deployment continues to be the Achilles’ heel of enterprise security. Even after Cisco released patched versions, hundreds of organizations failed to apply them, allowing adversaries to maintain access indefinitely. The mindset of “we removed the malware, so we’re safe” has proven catastrophically wrong.
Second, the technical simplicity of BADCANDY—classified as a low-equity implant—is deceptive. While it may not demand high-level sophistication to deploy, its real power lies in its psychological advantage: it exploits administrator complacency. By using temporary patches to disguise infections, attackers manipulate defenders into thinking the problem is solved, creating a false sense of security that invites reinfection.
Third, this campaign reflects the emergence of hybrid threat ecosystems, where state-sponsored intelligence units and organized cybercriminals operate within the same exploit framework. SALT TYPHOON’s involvement adds geopolitical weight, suggesting that the objective is not merely financial but strategic—information theft, surveillance, and digital dominance.
From an operational defense perspective, the lesson is blunt: edge devices must be treated as critical assets, not as background infrastructure. Continuous monitoring, segmentation, and strict access control must become standard practice. Furthermore, zero-trust principles—verifying every connection and never assuming internal safety—are no longer optional; they’re existential.
The persistent nature of BADCANDY, surviving through multiple waves of remediation over more than two years, marks it as a symbol of the new cyber era. It demonstrates that malware no longer needs to be persistent in code to be persistent in effect. The real persistence now lies in attacker behavior—adaptive, automated, and relentless.
In short, the defenders are fighting malware. The attackers are fighting a campaign.
🔍 Fact Checker Results
✅ ASD confirmed over 150 active BADCANDY compromises as of October 2025.
✅ CVE-2023-20198 carries a critical 10.0 CVSS score and remains one of the most exploited flaws globally.
❌ Rebooting devices alone does not eliminate the vulnerability—it only removes the visible implant.
📊 Prediction: The Future of the BADCANDY War
🧠 Over the next year, cybersecurity experts expect continued reinfection cycles as unpatched devices remain exposed.
💣 Attackers will likely automate BADCANDY deployment through AI-driven vulnerability scanners, accelerating exploitation.
🔒 Organizations that fail to adopt zero-trust frameworks and continuous patching strategies risk becoming long-term espionage targets.
The BADCANDY campaign isn’t just another malware story—it’s a warning flare for every network on Earth: in the age of automation, vigilance is the only true firewall.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.twitter.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon




