Australia’s routers are under siege again. The nation’s cyber-watchdog has raised the alarm as hackers are hijacking unpatched Cisco IOS XE devices, slipping in a stealthy web-shell named BADCANDY like it’s their backstage pass to critical infrastructure.
According to the ASD, this campaign exploits CVE-2023-20198, a critical CVSS 10.0 flaw that enables a remote, unauthenticated attacker to create an administrative (privilege-15) account and seize full control of a vulnerable router.
The bug has been a hacker favorite since 2023, and groups tied to China, such as Salt Typhoon, have been flagged for using it to breach telecom providers.
Here’s the kicker: since July 2025, more than 400 Cisco devices across Australia are estimated to have been compromised, with about 150 still infected as of late October.
BADCANDY is a Lua-based implant that doesn’t survive a reboot, but don’t breathe easy yet. Attackers reportedly detect when defenders remove the implant and then swoop back in to re-install it on any still-vulnerable systems.
What makes this nastier is that after the hack the attackers apply fake “patches” to make the device appear safe while the root vulnerability remains open. So, while admins may think the router is clean, it’s still wide open. Rebooting only removes the visible implant; credentials may already be stolen and deeper persistence may lurk elsewhere.
The ASD’s prescription? Patch or perish. Update to Cisco’s fixed builds (IOS XE 17.9.4a, 17.6.6a, 17.3.8a, 16.12.10a), disable or tightly control web-UI exposure, and hunt down rogue accounts such as “cisco_tac_admin”, “cisco_support”, random strings with privilege-15, unknown tunnel interfaces, and review logging and TACACS+/AAA accounting.
This wave of attacks isn’t a random smash-and-grab — it’s a long-running, surgical exploitation campaign stretching from 2023 into 2025. BADCANDY may not persist after a reboot, but the attackers do. And as long as routers stay unpatched, the candy store’s still open.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn and Instagram to keep the spark alive.
