The threat involves exploitation of CVE-2023-20198, a critical vulnerability in Cisco IOS XE software, which scores a CVSS 10.0. This flaw permits a remote, unauthenticated attacker to create an account with privilege level 15, effectively granting full administrative control over the device. The Australian Signals Directorate (ASD) has identified ongoing attacks leveraging a previously undocumented implant named BADCANDY, a Lua-based web shell used to maintain access post-exploitation. BADCANDY is non-persistent, meaning it does not survive device reboots, but attackers can detect its removal and re-infect devices if they remain unpatched and accessible over the internet. The implant is used to mask the device’s vulnerable state by applying a non-persistent patch after compromise. Since late 2023, China-linked threat actors such as Salt Typhoon have weaponized this vulnerability to breach telecommunications providers, with hundreds of devices compromised in Australia alone by mid-2025. The attack vector targets unpatched Cisco IOS XE devices exposed to the internet, exploiting the vulnerability without requiring authentication or user interaction. Post-compromise, attackers create privileged accounts, modify configurations, and potentially establish tunnels or backdoors. The ASD recommends immediate patching, restricting public access to device management interfaces, auditing privileged accounts (especially those with suspicious names like "cisco_tac_admin"), reviewing unknown tunnel interfaces, and enabling detailed command accounting logs to detect unauthorized changes. The lack of persistence in the implant means rebooting devices alone is insufficient; comprehensive remediation including patching and configuration review is essential to prevent re-exploitation.

For European organizations, especially telecommunications providers, internet service providers, and critical infrastructure operators relying on Cisco IOS XE devices, this threat poses a severe risk. Successful exploitation can lead to full device compromise, enabling attackers to manipulate network traffic, intercept sensitive communications, disrupt services, or establish persistent footholds within networks. The ability to create privileged accounts without authentication undermines device integrity and confidentiality, potentially facilitating further lateral movement and espionage. Given the critical role of Cisco IOS XE in enterprise and carrier-grade network equipment, compromised devices could impact availability and reliability of essential services. The ongoing nature of attacks and the attackers’ capability to detect implant removal increase the risk of repeated intrusions. European organizations with internet-exposed Cisco IOS XE devices that remain unpatched or improperly configured are particularly vulnerable. The geopolitical context, including tensions involving China-linked threat actors, heightens the risk for strategic sectors in Europe. Disruptions could affect not only commercial networks but also government and defense communications, amplifying potential economic and national security consequences.

1. Immediately apply all Cisco patches addressing CVE-2023-20198 to eliminate the vulnerability. 2. Restrict public internet exposure of Cisco IOS XE management interfaces, especially web user interfaces, using firewalls, VPNs, or access control lists. 3. Conduct thorough audits of running configurations to identify and remove unauthorized privileged accounts, particularly those with suspicious names such as "cisco_tac_admin," "cisco_support," or accounts with random strings. 4. Review and remove unknown or unauthorized tunnel interfaces that may indicate backdoors or unauthorized network paths. 5. Enable and monitor TACACS+ AAA command accounting logs to detect unauthorized configuration changes and suspicious activities. 6. Implement network segmentation to isolate critical Cisco devices from general user networks and reduce attack surface. 7. Regularly reboot devices after patching to clear any non-persistent implants like BADCANDY, but understand reboot alone is insufficient without patching. 8. Employ continuous monitoring and threat hunting focused on Cisco IOS XE devices to detect signs of compromise or re-infection attempts. 9. Collaborate with Cisco and cybersecurity communities for updated hardening guidelines and threat intelligence. 10. Educate network administrators on recognizing indicators of compromise related to this threat and enforce strict credential management policies.