BADCANDY Web Shell on Cisco IOS XE (CVE-2023-20198)
The BADCANDY web shell on Cisco IOS XE (CVE-2023-20198) represents a critical threat to network infrastructure. This Lua-based web shell enables remote, unauthenticated privilege escalation. Because the flaw targets the IOS XE web user interface, attackers can create highly privileged accounts. As a result, devices can be seized for espionage, data theft, or lateral access. Recent incidents have shown widespread exploitation across enterprise and service provider routers.
For example, Australian signals authorities and other reports link sustained campaigns to BADCANDY implants. However, the implant does not persist after reboot, which can create a false sense of safety. Therefore, remediation must include both immediate removal and patching of the underlying CVE.
Network teams should look for signs like unknown tunnel interfaces and unexpected privilege 15 accounts. Also, attackers sometimes apply non-persistent patches to mask vulnerable status, which complicates detection. This article explains detection methods, hardening steps, and incident response for affected Cisco IOS XE devices. Read on to learn how to prevent re-exploitation and secure your edge infrastructure against BADCANDY threats.
What is the BADCANDY web shell on Cisco IOS XE (CVE-2023-20198)?
The BADCANDY web shell on Cisco IOS XE (CVE-2023-20198) is a Lua based implant that attackers use to control routers and switches. Because it targets the IOS XE web user interface, actors gain elevated privileges without authentication. The implant first appeared in October 2023 and has seen renewed use through 2024 and 2025. As a result, organisations face prolonged risk of espionage and data theft.
Key facts and context
- BADCANDY is a Lua based web shell described as low equity but highly effective for initial access and follow on activity.
- CVE 2023 20198 is a critical privilege escalation vulnerability in the IOS XE Web UI. See Cisco for details.
- The NVD entry for CVE 2023 20198 records the vulnerability details and severity rating.
- Threat actors include criminal and state sponsored groups. Recorded Future links exploitation to Salt Typhoon in related campaigns. Learn more.
- Public reporting highlights ongoing exploitation and incidents in 2025. For example, The Hacker News summarises recent activity.
How the BADCANDY web shell on Cisco IOS XE (CVE-2023-20198) is exploited and the attack mechanics
Attackers exploit the Web UI when it is enabled via configuration commands such as ip http server or ip http secure server. Because of this, internet exposed management interfaces are high risk. The typical attack flow includes the following steps.
- Reconnaissance and access verification. Actors scan for exposed Web UI ports and probe for vulnerable IOS XE versions.
- Exploitation of CVE 2023 20198. The flaw allows unauthenticated creation of privileged accounts. Therefore attackers gain privilege 15 access quickly.
- Deployment of the BADCANDY implant. Actors upload a Lua based web shell often stored in web related configuration files.
- Post exploitation activity. Attackers may exfiltrate credentials, create new accounts, or modify configurations for lateral movement.
- Masking and re exploitation. Actors sometimes apply non persistent patches to hide vulnerable indicators. Also they may revisit unpatched devices after a reboot.
Indicators to hunt for
- Unexpected accounts with privilege 15 such as cisco tac admin or cisco support or cisco sys manager or cisco
- Unknown tunnel interfaces shown as interface tunnel[number]
- Configuration changes recorded in TACACS plus or AAA command accounting logs
Because the implant does not survive a reboot, operators may be tempted to rely on reboots alone. However, this does not fix CVE 2023 20198. Therefore apply Cisco fixes and harden Web UI access to prevent re exploitation.
Comparing common attack methods on Cisco IOS XE devices
| Attack Method | Description | Impact Severity | Mitigation Strategies |
|---|---|---|---|
| BADCANDY web shell on Cisco IOS XE (CVE-2023-20198) | Lua based web shell exploiting the IOS XE Web UI. Allows remote unauthenticated creation of privilege 15 accounts. Exploitation requires ip http server or ip http secure-server enabled. | Critical (CVSS 10.0). Widespread activity since 2023 with sustained campaigns into 2025. See Cisco advisory Cisco Advisory and NVD CVE-2023-20198 | Apply Cisco fixed releases (for example 17.9.4a, 17.6.6a, 17.3.8a, 16.12.10a). Disable Web UI if unused. Restrict management with ACLs. Hunt for privilege 15 accounts and interface tunnel[number]. Reboot clears implant but does not fix vulnerability. |
| SSH credential theft and brute force | Attackers use leaked credentials or brute force SSH to gain CLI access. Often automated at scale. | High. Successful logins give command line control and configuration change ability. | Enforce strong passwords and rotate credentials. Use public key auth and MFA where possible. Limit SSH access with ACLs and management VRFs. Monitor AAA logs. |
| SNMP misconfiguration and exploitation | Misconfigured SNMP leaks data or allows remote writes. SNMP community strings can be abused. | Medium to high depending on exposure. Can reveal credentials and topology. | Disable SNMP v1 v2. Use SNMPv3 with authPriv. Restrict SNMP to management hosts. Audit SNMP logs. |
| Supply chain or firmware implants | Malicious firmware or altered images introduce persistent backdoors. Often stealthy and hard to detect. | Critical and persistent. Can survive reboots and upgrades if signed images are compromised. | Verify image integrity and signatures. Source firmware from trusted channels. Apply vendor advisories and cryptographic checks. |
| Configuration tampering via compromised accounts | Attackers modify routing, tunnels, ACLs, or NAT to intercept traffic. | High. Can enable data exfiltration and lateral movement. | Implement least privilege for accounts. Audit and alert on config changes. Remove unknown tunnel interfaces and suspicious admin accounts. |
This table clarifies why BADCANDY is uniquely dangerous. It combines unauthenticated privilege escalation with a lightweight Lua implant. Therefore, teams must prioritise patching and layered mitigations to prevent re exploitation.
Preventing BADCANDY web shell on Cisco IOS XE (CVE-2023-20198)
Protecting devices against the BADCANDY web shell on Cisco IOS XE (CVE-2023-20198) requires layered controls. First, prioritise vendor patches and tested fixes. Then harden configurations and improve monitoring. Finally, practice rapid incident response to stop re exploitation.
Patch and update
- Apply Cisco fixed releases as a first step. See the official advisory for affected versions and patches: Cisco Security Advisory
- Also review the NVD entry for CVE details and CVSS scoring: NVD CVE Details
- Schedule urgent upgrades for internet exposed management devices. When possible, test in lab before mass rollout.
Configuration hardening and access controls
- Disable the web UI if you do not need it. For example, remove or avoid
ip http serverandip http secure-serverwhen not required. - Restrict Web UI access with strict ACLs and management VRFs. Only allow trusted admin IPs.
- Enforce least privilege. Remove or disable unknown accounts and any privilege 15 accounts that are unexpected.
- Remove suspicious interfaces such as
interface tunnel[number]. These often indicate tampering.
Monitoring, logging and detection
- Enable AAA and command accounting to capture configuration changes. Then forward logs to a central SIEM.
- Hunt for indicators like newly created admin accounts or unexplained tunnel interfaces. Also look for Lua files or web configuration anomalies.
- Use regular configuration snapshots. Compare snapshots to detect stealthy non persistent patches.
Operational best practices
- Rebooting clears the BADCANDY implant but does not fix CVE 2023 20198. Therefore treat reboots as a short term measure only.
- Rotate and harden credentials. Use public key authentication for SSH and add multi factor authentication where supported.
- Implement change verification workflows. Require peer review and alerting on critical config changes.
Incident response and recovery
- Isolate affected devices from management networks immediately. Next, collect forensic logs and configuration backups.
- Apply the official Cisco patch, then reimage or upgrade the device. Finally, reset credentials and remove any unknown accounts.
These steps reduce the chance of re exploitation by threat actors. As a result, teams gain stronger protection against Lua based web shells and privilege escalation attacks.
Conclusion
The BADCANDY web shell on Cisco IOS XE (CVE-2023-20198) remains a severe risk to networked infrastructure. Because the flaw allows unauthenticated privilege escalation, attackers can create high privilege accounts and take control of routers and switches. Recent reporting shows sustained activity and widespread impact, so organisations must act now.
Prioritise patching and configuration hardening to reduce exposure. Disable the Web UI when not required and restrict management access with ACLs. Also enable AAA and command accounting, monitor logs centrally, and hunt for indicators such as privilege 15 accounts and unknown tunnel interfaces. Reboots remove the implant but do not fix the vulnerability, so apply vendor patches promptly.
Finally, note that strong operational hygiene reduces the chance of re exploitation. For broader digital transformation needs, consider partners with applied AI experience. Velocity Plugins offers AI driven WooCommerce plugins that improve customer interaction and sales efficiency.
Frequently Asked Questions (FAQs)
What is the BADCANDY web shell on Cisco IOS XE (CVE-2023-20198) and why is it dangerous
The BADCANDY web shell on Cisco IOS XE (CVE-2023-20198) is a Lua based implant. Because it exploits the IOS XE Web UI, attackers gain unauthenticated privilege escalation. As a result, actors can create privilege 15 accounts and control routing devices. Recent reporting shows sustained campaigns from 2023 through 2025. For example, ASD reported over 150 devices compromised in Australia as of late October 2025.
How can I detect if my devices are infected or compromised
Start with simple configuration audits. Look for unexpected admin accounts with privilege 15 such as cisco_tac_admin or cisco_support. Also search for unknown tunnel interfaces like interface tunnel[number]. Next, enable AAA and command accounting to capture commands. Then forward logs to a central SIEM for correlation. Finally, compare regular configuration snapshots to spot non persistent patches and Lua files.
What immediate steps should I take if I find evidence of BADCANDY
First isolate the device from management and production networks. Next capture forensic logs and the running configuration. Rebooting removes the BADCANDY implant, however it does not fix the vulnerability. Therefore apply Cisco’s fixed releases without delay and rotate credentials. Also remove unknown accounts and suspicious tunnel interfaces before returning devices to service.
How do I permanently mitigate the risk and prevent re exploitation
Patch urgently to affected IOS XE versions such as 17.9.4a and others listed by Cisco. In addition, disable the Web UI if you do not need it by avoiding ip http server or ip http secure-server commands. Restrict management access with ACLs and management VRFs. Use least privilege for admin accounts and implement multi factor authentication where possible.
What monitoring and long term practices reduce future risk
Use continuous configuration monitoring and automated alerts for admin account creation. Also run periodic scans for exposed Web UI ports and vulnerable IOS XE versions. Train ops teams to verify image integrity and review vendor advisories. Finally, maintain a tested incident response plan and practice it regularly to shorten detection and recovery times.
