You are currently viewing BadCandy: Stealth Implant Converts IOS XE into a Persistent Surveillance Node

BadCandy: Stealth Implant Converts IOS XE into a Persistent Surveillance Node

  • Post author:
  • Reading time:5 mins read

Cybercriminals and advanced persistent threat (APT) actors continue to evolve toward stealthier, persistence-focused, and profit-driven operations. Recent intelligence reports reveal a coordinated exploitation campaign combining high-severity vulnerabilities—the Cisco IOS XE privilege escalation flaw (CVE-2023-20198) to compromise infrastructure, deploy ransomware, and maintain deep network persistence.

Both nation-state actors and financially motivated ransomware groups are leveraging these flaws in parallel to gain administrative access, escalate privileges, and deploy malware across enterprise and government networks worldwide.

Executive Summary

BadCandy is a malicious Lua-based implant deployed on Cisco IOS XE devices through exploitation of vulnerabilities in the web interface. The implant grants attackers root-level access, enabling them to execute arbitrary commands and maintain control over compromised devices. Although BadCandy is non-persistent and removed after a reboot, attackers often reinfect devices and steal credentials, ensuring long-term access.

The campaign began in October 2023 and remains active, with incidents continuing through 2024 and 2025. Threat actors frequently apply fake patches to conceal the compromised state, complicating detection and remediation. This attack has impacted hundreds of Cisco IOS XE devices globally, including over 400 in Australia since July 2025, with 150 still compromised as of late October 2025.

Background on BADCANDY Attacks on Cisco IOS XE Devices

In late 2023, the Australian Signals Directorate (ASD) and CISA issued urgent advisories regarding ongoing exploitation of unpatched Cisco IOS XE devices. Attackers are deploying a Lua-based webshell known as BADCANDY, exploiting CVE-2023-20198, a critical remote privilege escalation vulnerability in the web-based user interface of Cisco IOS XE.

This flaw enables unauthenticated remote attackers to create arbitrary high-privilege accounts, granting full administrative control over the affected device. The BADCANDY webshell allows execution of arbitrary commands at the system (root) level, facilitating further malware deployment and network reconnaissance.

Notably, the APT group SALT TYPHOON, assessed with links to Chinese intelligence, has been associated with these intrusions, exploiting the flaw to implant persistent access points and exfiltrate configuration data.

Vulnerability Details

CVE-ID: CVE-2023-20198
CVSS Score: 10.0 (Critical)
EPSS Score:  94.07%
Vulnerability: Privilege Escalation / Remote Unauthorized Access
Affected Product: Cisco IOS XE Software (with HTTP Server or Web UI feature enabled)

Infection Method

Initial Access

  • Attackers scan the internet for unpatched Cisco IOS XE devices with the web management interface exposed.
  • Vulnerable devices running the HTTP or HTTPS server feature become entry points for remote exploitation.
  • No authentication is required — attackers can exploit the flaw remotely and anonymously.

Exploitation

  • The vulnerability, CVE-2023-20198, allows unauthenticated attackers to create new local user accounts with privilege level 15 (full administrative rights).
  • Once the account is created, adversaries log in to the compromised device, modify configurations, and install the BADCANDY webshell, written in Lua, to maintain access.

Payload Delivery

  • The BADCANDY webshell is implanted directly on the router’s file system, enabling remote command execution through the web interface.
  • After deployment, attackers may use the compromised Cisco device to:
    • Relay traffic and perform network reconnaissance.
    • Exfiltrate sensitive data from enterprise networks.
    • Deploy additional malware or ransomware loaders on connected systems.
  • In some incidents, attackers applied non-persistent configurations post-compromise to conceal the vulnerable entry point and evade detection.

Execution & Persistence

  • The BADCANDY webshell allows remote execution of system-level commands via HTTP requests.
  • Attackers maintain persistence by:
    • Using the privileged local accounts created during exploitation.
    • Deploying non-persistent configurations that survive reboots.
    • Re-injecting the webshell automatically if removed.
  • The implant may also disguise itself as legitimate Cisco processes or files, hindering forensic detection.

Command-and-Control (C2)

  • Compromised devices communicate with attacker-controlled servers over HTTP(S) or covert tunnels.
  • Threat actors have been observed establishing tunnel interfaces to exfiltrate data or relay commands through encrypted channels.
  • In some cases, attackers used compromised routers as intermediate C2 nodes for broader intrusion campaigns.

Impact

  • Complete System Compromise: Attackers gain root-level control over Cisco IOS XE devices.
  • Network Pivoting: Compromised routers can be used to move laterally within corporate networks.
  • Espionage & Data Theft: Threat actors can intercept, reroute, or exfiltrate sensitive communications.
  • Infrastructure Disruption: Adversaries can alter routing configurations, disrupt connectivity, or launch further attacks.
  • Ransomware Deployment: Access gained via BADCANDY can be used to stage ransomware payloads on internal systems.

Visual Flow

Initial Access (scanning unpatched devices) -> Exploitation (CVE-2023-20198 privilege escalation)->
Payload Delivery (BADCANDY webshell deployment)-> Execution & Persistence (command execution, hidden accounts) -> Command & Control (tunneled or HTTP-based C2 communication) -> Impact (data exfiltration, ransomware, or further compromise)

Mitigation Steps

  1. Apply Security Patches:
    • Immediately upgrade Cisco IOS XE devices to the latest patched versions addressing CVE-2023-20198.
    • Cisco has released fixed builds and recommends verifying device integrity post-update.
  2. Disable Web UI if Unnecessary:
    • Disable the HTTP/HTTPS Server feature on routers and switches if not required.
    • Restrict access to the Web UI to trusted IP addresses only.
  3. Audit and Remediate Unauthorized Accounts:
    • Review configuration files for suspicious privilege 15 accounts, especially with names such as cisco_tac_admin, cisco_support, or random strings.
    • Remove any unauthorized users immediately.
  4. Inspect for Indicators of Compromise (IOCs):
    • Check for unknown tunnel interfaces or suspicious HTTP requests.
    • Examine logs for signs of configuration changes or newly created accounts.
    • Review TACACS+ and AAA command accounting logs for anomalies.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.