heise PlusAbo
Anzeige

Badcandy: Old Cisco IOS XE vulnerability still misused thousands of times

An update against the Cisco IOS XE vulnerability CVE-2023-20198 has been available since 2023. The Shadowserver Foundation sees 15,000 infected devices.

listen Print view
Close-up of the Cisco logo on a device in a data center.

(Image: Anucha Cheechang/Shutterstock.com)

3 min. read
Security
By

The Australian intelligence agency Australian Signals Directorate (ASD) warns of the malware “Badcandy,” which state-sponsored actors install through an old security vulnerability in Cisco IOS XE. The vulnerability has been known since 2023. Cisco has also published software updates to close it have been released.

Australian officials discuss that attacks on the vulnerability (CVE-2023-20198, CVSS 10.0, risk “critical”) are still being observed. The Badcandy malware has been transferred to vulnerable Cisco devices through the vulnerability since October 2023. Renewed activity was observed in both 2024 and 2025.

The malicious software is a Lua-based web shell. Malicious actors, after such a compromise of devices through the vulnerability, have typically installed a non-persistent version of a patch to conceal the devices' susceptibility to the security vulnerability. The Badcandy malware also does not survive a device reboot. However, attackers can still maintain access to the network or devices through credentials or other forms of persistence.

To prevent renewed exploitation of the vulnerability and re-infection of the device, IT managers must apply the available software patch. In Australia alone, the ASD has found more than 400 potentially compromised devices this year, and at the end of October, there were still more than 150 Cisco devices – the ASD has sent victims notifications with instructions for patching, rebooting, and hardening the devices.

The Shadowserver Foundation has now also published updated figures on Mastodon. According to this, around 15,000 Cisco IOS XE devices worldwide are still equipped with a malicious backdoor. Frequent reinfection campaigns are also being observed. In the Breakdown by country from the Shadowserver Foundation, currently 90 Cisco devices in Germany are infiltrated with Badcandy – this places the Federal Republic in 33rd place on the list. Nevertheless, this is an indication that IT managers here also need to take action. It is possible that due to the non-persistent patch, one or another device was not recognized as vulnerable.

Videos by heise

The Cisco vulnerability is apparently very popular with cybercriminals. As early as the end of June, the FBI and the “Canadian Centre for Cyber Security” warned that state-sponsored Chinese cyber gangs are still actively exploiting the old security vulnerability. At that time, they specifically gained access to the network of a Canadian telecommunications provider.

(dmk)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten