Numerous Australian Cisco Devices Remain Infected with BADCANDY Malware

Fast Overview

• More than 150 Cisco devices in Australia continue to be infected with BADCANDY malware.
• Fixes for the flaw have been accessible for over two years.
• Re-infection remains a threat as malicious actors are actively taking advantage of the vulnerability.
• BADCANDY enables attackers to entirely compromise devices and capture network traffic.
• The ASD has marked China’s Salt Typhoon group as one of the malicious actors.
• The vulnerability, CVE-2023-20198, has a top severity rating of 10.0.
• Restarting devices eliminates BADCANDY but does not address the flaw.
• It is essential to implement patches and examine device settings for effective protection.

Overview of BADCANDY Malware

The BADCANDY webshell has consistently posed a threat to Cisco routers and switches within Australia. Despite patches having been available for over two years, as of late October 2025, over 150 devices remain compromised. The Australian Signals Directorate’s Cybersecurity Centre (ACSC-ASD) notes that re-infection is a major concern as malicious actors exploit the flaw.

Technical Insights and Exploitation

The BADCANDY malware exploits a flaw designated as CVE-2023-20198, which carries a maximum severity rating of 10.0. This enables attackers to establish admin accounts, run commands, and gain complete control over the affected devices. Emerged in October 2023, the malware’s ease of use appeals to both criminal and state-sponsored entities, including China’s Salt Typhoon group.

Preventive Strategies and Suggestions

The ACSC-ASD recommends that organizations implement necessary patches and examine device configurations for unusual admin accounts. Investigating the presence of unknown tunnel interfaces is also advised. While rebooting can eliminate the malware, it does not rectify the core vulnerability, requiring additional steps to secure devices.

Conclusion

The persistent existence of BADCANDY malware on Australian Cisco devices highlights the urgent need for alertness and proactive cybersecurity actions. Organizations must take swift measures to patch vulnerabilities and monitor their systems to reduce the risk of re-infection and potential data leaks.

Q: What is BADCANDY malware?

A: BADCANDY is a webshell that takes advantage of a vulnerability in Cisco devices, enabling attackers to control and intercept network traffic.

Q: How critical is the BADCANDY vulnerability?

A: The vulnerability, recognized as CVE-2023-20198, has a maximum severity rating of 10.0, indicating a critical threat.

Q: Who is responsible for the BADCANDY attacks?

A: Both criminal organizations and state-sponsored actors, including China’s Salt Typhoon group, have been known to exploit BADCANDY.

Q: Is it possible to remove BADCANDY by rebooting a device?

A: Rebooting can eliminate the malware, but it does not resolve the underlying vulnerability, leaving devices still exposed.

Q: What steps should organizations undertake to safeguard their devices?

A: Organizations should apply patches, audit admin accounts for suspicious behavior, and fortify their network settings.

Q: Why are numerous devices still infected after two years?

A: Even though patches are available, many devices remain unpatched, with re-infections occurring due to active exploitation by malicious actors.