Discover why the BADCANDY web shell on Cisco IOS XE (CVE-2023-20198) demands urgent attention from network defenders
This Lua-based web shell exploits the web user interface to escalate privileges and create highly privileged accounts. As a result, attackers gain near-total control over affected routers and switches.
Since October 2023, operators have deployed BADCANDY widely, and renewed activity continued through 2025. However, the implant does not persist after reboot, which can lull teams into false security. Yet, because the underlying vulnerability remains exploitable, re-infection occurs rapidly without patches.
This guide gives a practical checklist to detect and remove the implant. It also lists steps to harden the web UI and to review ip http server settings. Moreover, we explain detection signatures, credential risks, and how to prioritize patching across affected IOS XE versions. Read on for hands-on tactics suitable for security teams and infrastructure engineers.
We cover indicators such as interface tunnel[number] entries and suspicious account names like cisco_tac_admin. Finally, you get step-by-step removal and mitigation advice.
Technical background: BADCANDY web shell on Cisco IOS XE (CVE-2023-20198)
Cisco IOS XE is a modular, Linux-based network operating system. It runs on enterprise routers and switches and supports modern management features. Because it hosts the web user interface, administrators can manage devices via a browser. However, that convenience introduces attack surface when the web UI is enabled.
CVE-2023-20198 is a web UI command injection vulnerability. An unauthenticated remote attacker can exploit the flaw to run commands with high privileges. As a result, attackers can create privilege 15 accounts and install a Lua-based web shell known as BADCANDY. Once active, the implant lets adversaries execute commands and exfiltrate credentials.
The vulnerability manifests when ip http server or ip http secure-server is enabled in configuration. Therefore, devices with the web UI exposed to untrusted networks face the highest risk. Importantly, the implant does not survive a reboot, but the underlying vulnerability remains exploitable. Consequently, teams that reboot without patching risk rapid re-infection.
Key technical details and risks
- Exploitation vector: unauthenticated web UI command injection when ip http server or ip http secure-server is enabled. This grants attackers privilege 15 access.
- Implant behavior: BADCANDY is a Lua-based web shell that allows remote command execution and credential harvesting, but it is non-persistent after reboot.
- Operational impact: full device compromise enables lateral movement, traffic interception, and long-term espionage, because attackers can create admin accounts and modify routing.
For official technical guidance, see Cisco’s PSIRT advisory at Cisco’s PSIRT advisory and the NVD entry at NVD entry for CVE-2023-20198. Apply vendor patches promptly to stop re-exploitation.
Documented cases and exploits: BADCANDY web shell on Cisco IOS XE (CVE-2023-20198)
Since October 2023, multiple incident responders and national CERTs reported active deployments of the BADCANDY implant. For example, ASD assessed that over 400 devices were potentially compromised since July 2025, and roughly 150 devices remained compromised across Australia by late October 2025. Because adversaries can install a Lua-based web shell after exploiting the web UI, they gain immediate, high-level control over devices.
“This Lua-based web shell has been actively deployed since October 2023, with ASD observing renewed exploitation activity throughout 2024 and continuing into 2025.”
Reported cases show a consistent pattern. Attackers exploit CVE-2023-20198 when the web UI is enabled via ip http server or ip http secure-server. After exploitation, actors create privileged accounts, harvest credentials, and sometimes set up tunnels. As a result, teams frequently find unknown interface tunnel[number] entries and unfamiliar admin users.
“The BADCANDY implant represents a persistent threat to organizations running vulnerable Cisco IOS XE Software with the web user interface feature enabled.”
Evidence also highlights the risk score. CVE-2023-20198 has a maximum CVSS score of 10.0. Cisco published patches for affected IOS XE versions, including 17.9.4a, 17.6.6a, 17.3.8a, and 16.12.10a. For technical details and mitigation steps, consult Cisco’s advisory at Cisco Security Advisory and the NVD entry at NVD Entry for CVE-2023-20198. Consequently, defenders must patch promptly and hunt for post-exploitation artifacts to prevent re-exploitation.
Comparative mitigation strategies
Below is a quick comparison of mitigation options to defend against the BADCANDY web shell on Cisco IOS XE (CVE-2023-20198). Use this table to choose actions based on risk and resources.
| Strategy | Description | Effectiveness | Ease of Implementation |
|---|---|---|---|
| Apply official Cisco patches | Install vendor patches for affected IOS XE versions (for example 17.9.4a, 17.6.6a, 17.3.8a, 16.12.10a). Therefore, this removes the root vulnerability. | Very high | Medium |
| Disable web UI | Turn off ip http server and ip http secure-server when not needed. As a result, this reduces the attack surface immediately. | High | High |
| Network access controls | Limit management plane access with ACLs, management VRFs, and segmented out of band networks. Consequently, this blocks external exploitation paths. | High | Medium |
| Reboot then hunt | Reboot to remove the non-persistent implant, then perform forensic checks and credential resets. However, do not rely on reboot alone. | Medium | High |
| Credential rotation and MFA | Rotate device credentials and enforce multi factor authentication for management interfaces. As a result, this reduces the impact of stolen credentials. | High | Medium |
| Enhanced monitoring and logging | Enable detailed syslog, AAA logging, and periodic configuration audits. Additionally, deploy IDS rules to detect web shell indicators. | High | Low |
| Isolate and rebuild | If compromise is confirmed, isolate the device and rebuild from a known good image. Therefore, this eliminates hidden persistence and misconfigurations. | Very high | Low to medium |
Conclusion
The BADCANDY web shell on Cisco IOS XE (CVE-2023-20198) remains a clear and present danger to networks. Because attackers can gain privilege 15 access through the web UI, affected devices risk full compromise. Therefore, defenders must treat exposed management interfaces as critical attack surfaces.
Act quickly to apply official Cisco patches and to disable unused web UI features. Additionally, enforce strict network access controls and rotate device credentials regularly. As a result, you reduce the chance of re-exploitation and limit attacker dwell time.
Rebooting may remove the implant, but it does not fix the vulnerability. Consequently, teams must combine immediate remediation with thorough hunting and forensic checks. Also, rebuild or isolate confirmed compromised devices to eliminate hidden persistence.
Velocity Plugins specializes in AI driven tools that help teams detect anomalies and automate remediation workflows. Visit Velocity Plugins to learn how advanced tooling can increase operational efficiency and strengthen your security posture. In short, stay vigilant, patch promptly, and adopt proactive automation to keep critical edge devices safe.
Frequently Asked Questions (FAQs)
What is the BADCANDY web shell on Cisco IOS XE (CVE-2023-20198)?
BADCANDY is a Lua based web shell deployed after exploiting CVE-2023-20198. The flaw targets the web user interface in Cisco IOS XE. As a result, unauthenticated attackers can create privilege 15 accounts and execute commands.
How severe is the risk to my network?
This vulnerability holds a CVSS score of 10.0, which indicates critical severity. Moreover, ASD reported renewed exploitation activity through 2024 and 2025. For example, assessors estimated over 400 devices potentially compromised since July 2025, and around 150 remained compromised by late October 2025. Therefore, any exposed management interface should be treated as high priority.
How can I detect if a device is infected?
Check for unknown admin accounts such as cisco_tac_admin or unfamiliar users. Also, look for interface tunnel[number] entries in running configurations. Review AAA and syslog records for web UI requests and unusual CLI sessions. For detailed indicators and vendor guidance, see Cisco’s advisory at Cisco’s advisory.
What immediate mitigation steps should I take?
First, apply the official Cisco patches for affected IOS XE releases. Next, disable the web UI using ip http server or ip http secure-server when not needed. Then, reboot to remove non persistent implants and perform credential rotation. Also, isolate compromised devices and rebuild from a known good image when possible. Finally, add ACLs and monitoring to prevent re-exploitation.
What has Cisco done and where can I find official guidance?
Cisco published PSIRT advisories and patches for versions such as 17.9.4a, 17.6.6a, 17.3.8a, and 16.12.10a. Consequently, follow Cisco’s remediation steps and deploy vendor fixes promptly. For a vulnerability overview, visit the NVD entry and Cisco’s advisory at Cisco’s advisory.
