A bulletin about continuing cyberattacks targeting unpatched Cisco IOS XE equipment in the nation using an unauthorized implant known as BADCANDY has been released by the Australian Signals Directorate (ASD).
According to the intelligence agency, the activity entails the exploitation of CVE-2023-20198 (CVSS score: 10.0), a critical vulnerability that enables a remote, unauthenticated attacker to create an account with elevated privileges and use it to take over vulnerable systems.
Since 2023, the security flaw has been actively exploited in the open; in recent months, threat actors connected to China, such as Salt Typhoon, have used it as a weapon to compromise telecom companies.
Variations of BADCANDY have been identified since October 2023, according to ASD, with new attacks being reported in 2024 and 2025. The malware is thought to have infected up to 400 devices in Australia since July 2025, with 150 of those devices being affected in October alone.
It cannot endure system reboots because it lacks a persistence mechanism. However, the threat actor may re-introduce the malware and recover access if the device is left unpatched and connected to the internet.
According to ASD’s assessment, threat actors can recognize when an implant is removed and re-infect the devices. This is because devices for which the agency has previously notified impacted entities have been re-exploited.
Nevertheless, a reboot won’t reverse the attackers’ previous actions. Therefore, in order to stop further exploitation attempts, system operators must apply the patches, restrict the web user interface’s public exposure, and adhere to Cisco’s hardening standards.