The BADCANDY Web Shell on Cisco IOS XE CVE-2023-20198
The BADCANDY web shell on Cisco IOS XE CVE-2023-20198 surfaced as a serious threat to network edge devices. Because CVE-2023-20198 permits remote unauthenticated attackers to create highly privileged accounts, many administrators face urgent risk. As a result, poorly patched Cisco devices can be compromised within minutes.
Technically, the implant is a Lua based web shell accessible through the device web UI. It does not persist after reboot; however attackers can exfiltrate credentials during initial compromise and establish backdoors. Therefore a simple reboot may mask the root cause and invite re exploitation.
This article explains how attackers exploit the web UI and how teams can respond. It covers detection steps and hardening guidance such as disabling the HTTP server and applying Cisco patches. Finally, we outline managed security opportunities so vendors and MSSPs can turn this edge risk into services. Because attackers often target edge switches, defenders must prioritize patching, monitoring, and rapid incident response.
BADCANDY web shell on Cisco IOS XE CVE-2023-20198 Overview
The BADCANDY web shell on Cisco IOS XE CVE-2023-20198 is a Lua based implant that abuses the IOS XE web user interface. It first appeared in October 2023 and returned with renewed activity through 2024 and 2025. Security researchers describe it as a low equity implant because it requires little sophistication once the device is reached.
The underlying flaw, CVE-2023-20198, allows remote, unauthenticated attackers to create privilege level 15 accounts. As a result attackers gain full control without valid credentials. Therefore affected routers and switches can be fully compromised within minutes.
BADCANDY web shell on Cisco IOS XE CVE-2023-20198 How it operates
- Exploitation vector: attackers target the device web UI and exploit CVE-2023-20198 to add admin accounts. For Cisco guidance and fixed versions see Cisco’s advisory at Cisco Security Advisory.
- Implant type: a Lua web shell uploaded into the web UI environment. It runs commands and can read configuration and credentials.
- Persistence characteristics: BADCANDY is non persistent. However attackers often exfiltrate credentials or install other backdoors before removal. As a result re exploitation of unpatched devices is common.
- Post compromise behavior: actors apply non persistent patches to hide the vulnerability status. Consequently detection becomes harder for network defenders.
- Common indicators: unexpected high privilege local accounts, modified web UI files, unusual HTTP server activity, and config changes under interface tunnel[number].
- Related risks: credential theft, lateral movement, data exfiltration, and supply chain impact if edge devices route critical traffic.
Detection and mitigation notes
Because a reboot removes the implant, do not rely on reboot alone. Instead apply Cisco patches and hardening. For observed incident reporting and community analysis see reporting by The Hacker News and Bleeping Computer.
BADCANDY web shell on Cisco IOS XE CVE-2023-20198 Evidence and timeline
The BADCANDY web shell on Cisco IOS XE CVE-2023-20198 first appeared in reports from October 2023 and showed renewed campaign activity through 2024 and 2025. Security teams in Australia reported widespread scanning and exploitation during mid 2025. As a result ASD observed over 400 potentially compromised devices since July 2025. However, the number of confirmed compromised devices stabilized around 150 as of late October 2025.
- Named entities and reports
Australian Signals Directorate reported targeted infections and response guidance, which elevated national awareness. For community analysis and incident detail see The Hacker News. Meanwhile Bleeping Computer summarized impacts to enterprise networks at Bleeping Computer.
- Business and infrastructure impacts
Many affected systems were edge routers and Catalyst switches that route critical traffic. Consequently some organizations faced service disruption risks and increased incident response costs. For example operators reported urgent remediation work, credential resets, and forensic analysis to confirm no persistent backdoors remained.
- Technical case examples
Attackers exploited CVE-2023-20198 to create privilege level 15 accounts via the IOS XE web UI. Therefore they could read running configuration and exfiltrate stored credentials. Attackers also applied non persistent patches to mask the vulnerability status, which made detection harder for administrators.
- Response outcome
Cisco released fixed IOS XE versions such as 17.9.4a, 17.6.6a, 17.3.8a and 16.12.10a. Consequently organizations that applied the patches reduced re exploitation risk. Still many defenders relied on reboots, which removed the implant but left systems vulnerable to return attacks.
| Technique Name | Description | Effectiveness | Recommended Usage |
|---|---|---|---|
| Apply official Cisco patches | Install IOS XE fixes such as 17.9.4a, 17.6.6a, 17.3.8a, and 16.12.10a to remediate CVE-2023-20198 | Very high | Apply immediately; test in staging and then deploy across management devices |
| Disable HTTP server | Disable ip http server and ip http secure-server if the web UI is not required | High | Turn off on production devices where feasible; document changes and rollback steps |
| Network segmentation | Isolate management interfaces on a dedicated VLAN or out-of-band network | High | Segregate management plane and restrict access with ACLs and jump hosts |
| Monitoring and detection | Alert on new privilege 15 accounts, modified web UI files, and unusual HTTP traffic | Moderate to high | Use IDS, syslog aggregation, and SIEM rules; tune alerts to reduce false positives |
| Credential rotation and MFA | Rotate admin credentials and enforce multi factor authentication for management access | Moderate | Rotate immediately after suspected compromise and enable MFA for all admins |
| Incident response and forensics | Perform forensic analysis, reset credentials, patch devices, and validate cleanup | Essential | Follow an IR plan; avoid relying only on reboots because implants can return |
| Access control and hardening | Apply least privilege, limit SNMP and SSH exposure, and follow Cisco hardening guidance | High | Implement baseline hardening and periodic configuration reviews |
Use these techniques together for defense in depth. Therefore prioritize patching first, and then apply additional controls to reduce re exploitation risk.
Conclusion
The BADCANDY web shell on Cisco IOS XE CVE-2023-20198 presents a clear risk to edge infrastructure and business operations. Because attackers exploit the IOS XE web UI to create highly privileged accounts, organizations face credential theft, service disruption, and lateral movement. Therefore defenders must treat affected devices as high priority.
Apply official Cisco patches immediately and disable the HTTP server if the web UI is not needed. Also implement network segmentation, enforce least privilege, and rotate management credentials with multi factor authentication. In addition, deploy monitoring for new privilege 15 accounts and unusual HTTP activity, because detection reduces time to respond.
For businesses and e commerce operators, cybersecurity is not optional. Velocity Plugins combines AI driven WooCommerce tools with strong security practices to protect revenue and reduce support costs. Visit their site at Velocity Plugins to learn how automated conversion tools and resilient operations work together. As a result retailers can improve customer experience while lowering the attack surface.
Finally, consider managed security services that cover patching, monitoring, and incident response. Doing so turns edge risk into an opportunity to strengthen resilience and to protect critical infrastructure and customer trust.
Frequently Asked Questions (FAQs)
What is the BADCANDY web shell on Cisco IOS XE CVE-2023-20198?
The BADCANDY web shell on Cisco IOS XE CVE-2023-20198 is a Lua based implant that abuses the IOS XE web user interface. It allows remote unauthenticated attackers to add privilege level 15 accounts. As a result attackers gain full control of affected edge devices.
How does the implant operate and what immediate risks should I expect?
Attackers exploit the web UI flaw to upload a Lua web shell and run commands. They often exfiltrate credentials, create admin accounts, and modify configurations. Therefore expect credential theft, lateral movement, and service disruption risks.
How can I detect BADCANDY infections quickly?
Look for these indicators:
- unexpected privilege 15 accounts appearing in the config
- modified web UI files or unusual HTTP server activity
- sudden config changes under interface tunnel[number]
- abnormal outbound connections or credential harvesting attempts
Use centralized logging, SIEM, and heuristic rules to reduce detection time.
Will rebooting the device remove the web shell, and is that enough?
Rebooting removes the non persistent BADCANDY implant. However a reboot does not fix CVE-2023-20198. Therefore attackers can re exploit unpatched systems. Apply patches and rotate credentials after any reboot.
What are the prioritized mitigation steps I should take now?
Prioritize these actions:
- apply Cisco patches for IOS XE immediately
- disable ip http server if not needed
- isolate management interfaces and enable MFA
- rotate admin credentials and run forensics
Also implement continuous monitoring and consider managed security services for sustained protection.
