BADCANDY web shell: Rising threat to Cisco IOS XE and why defenders must act now
Web shell attacks are rising fast, and defenders face escalating risk across network edge devices. BADCANDY web shell has emerged as a notable Lua-based web shell targeting Cisco IOS XE web UI. Because attackers exploit CVE-2023-20198 to gain high privileges, they can exfiltrate credentials and drop implants.
However, BADCANDY often avoids simple detection by using non-persistent patches and re-exploitation, and while the implant does not survive a reboot, adversaries may establish alternative persistence or return quickly to compromised devices and they frequently target high-value network infrastructure used by enterprises and service providers.
Therefore this article explains how to identify infections, apply Cisco patches, harden ip http server and ip http secure-server settings, and use strict ACLs and monitoring to reduce re-exploitation risk across Catalyst switches and other IOS XE platforms. In addition, security teams must monitor for unusual admin accounts such as cisco_tac_admin and cisco_support and check for modified interface tunnel configurations.
What is the BADCANDY web shell?
BADCANDY web shell is a Lua-based implant that attackers deploy against Cisco IOS XE devices. It emerged in October 2023 and reappeared through 2024 and 2025. Attackers exploit a critical web UI flaw, tracked as CVE-2023-20198, to create privileged accounts and drop the web shell. For technical context and vendor guidance see Cisco’s advisory at Cisco’s advisory and the vulnerability entry at NVD CVE-2023-20198. Because the implant targets the device web UI, it often affects Catalyst switches and other IOS XE platforms.
BADCANDY web shell key features and behavior
BADCANDY uses lightweight Lua scripts and a low-equity implant model. As a result, operators can quickly stage access and then move laterally. Key features include:
- Lua-based payloads that integrate with the Cisco web UI and configuration files
- Exploitation of web UI privilege escalation to create highly privileged accounts
- Use of non-persistent patches to hide successful exploitation after the attacker leaves
- Capability to exfiltrate administrative credentials and session tokens
- Short-lived implant that does not survive a reboot but enables rapid re-exploitation
- Common checks for modified
ip http serverandip http secure-serversettings
Behaviorally, attackers first exploit the web UI vulnerability, then create backdoor accounts such as cisco_tac_admin. Next, they deploy the Lua web shell and harvest credentials. However, defenders can disrupt this chain by patching devices and by disabling unneeded HTTP services. For additional reporting on exploitation patterns, see Security Affairs.
Detecting BADCANDY requires monitoring for unusual admin users, changes to interface tunnel[number] entries, and unexpected ACL modifications. Therefore, combine configuration auditing with endpoint logs and network monitoring to reduce re-exploitation risk.
Detecting and preventing the BADCANDY web shell
Early detection reduces impact, and proactive prevention stops re-exploitation. BADCANDY attacks exploit CVE-2023-20198 to gain privileged access. For vendor context and patches, consult Cisco’s advisory at Cisco’s advisory and the NVD entry at NVD entry. Independent reporting on recent activity is available at Security Affairs.
Detection techniques and tools
- Audit configuration changes frequently, because BADCANDY operators modify web UI settings and create backdoor accounts. Monitor for accounts such as cisco_tac_admin or cisco_support.
- Track ip http server and ip http secure-server state, as attackers target those services. Use automated config drift tooling to alert on unexpected changes.
- Collect and analyse Syslog and AAA logs. Look for remote, unauthenticated web UI sessions and unusual privilege escalation events.
- Use file integrity checks on device file systems to detect unexpected Lua scripts and implants. Therefore flag unknown or recently changed files.
- Deploy network monitoring to catch credential exfiltration and command patterns. For example, IDS/IPS rules tuned for web UI abuse help detect activity early.
Prevention strategies and hardening
- Apply Cisco’s fixed releases such as 17.9.4a, 17.6.6a, 17.3.8a, or 16.12.10a where applicable, because patching prevents the root exploit.
- Disable ip http server and ip http secure-server when not required. In addition, limit management interfaces to trusted networks only.
- Enforce strict ACLs and management plane protection. Use role based access control and rotate highly privileged credentials frequently.
- Perform regular reboots as an emergency response, because the BADCANDY implant does not persist across reboots. However, combine reboots with credential rotation and patching to block re-infection.
Real-world context
Security researchers and government CERTs have observed renewed BADCANDY activity through 2024 and 2025. As a result, organisations should treat edge device hardening as urgent. Implement layered detection, and therefore reduce the chance of long-term compromise.
Comparison table: Popular web shells including BADCANDY web shell
The table below compares common web shells and highlights detection and mitigation differences. It helps security teams prioritise defensive actions.
| Web shell | Detection difficulty | Common attack vectors | Typical payload | Recommended mitigations |
|---|---|---|---|---|
| BADCANDY web shell | Moderate to high; uses non-persistent patches to evade checks | Exploitation of Cisco IOS XE web UI; CVE-2023-20198 privilege escalation | Lua-based web shell that integrates with the web UI; credential exfiltration and backdoor account creation | Patch to fixed IOS XE releases (17.9.4a, 17.6.6a, 17.3.8a, 16.12.10a); disable ip http server when unused; enforce ACLs; monitor accounts and file integrity |
| China Chopper | Moderate; small stager can be obfuscated | Compromised web apps via file upload or RCE | Tiny PHP or ASP backdoor offering remote command execution and file manager | Harden web apps; deploy WAF; block suspicious uploads; monitor web logs; IDS rules |
| Weevely | Moderate; mimics legitimate traffic at times | Vulnerable PHP applications and exposed panels | PHP-based web shell providing interactive command shell and persistence helpers | Harden PHP settings; scan for suspicious scripts; use file integrity monitoring and WAF |
| Generic PHP/ASP shells (r57, c99) | Moderate to high depending on obfuscation | Exploited web application vulnerabilities and weak uploads | Full-featured web shells with file manager, database access, and exec | Patch web apps; restrict uploads; isolate management interfaces; monitor for unknown web files |
Notes
- Because BADCANDY targets network OS web UI, detection must include configuration audits and AAA log review. In addition, reboots remove the implant but require follow-up remediation to prevent re-infection. Therefore treat edge device hardening as urgent.
To conclude, the BADCANDY web shell represents a sustained and evolving threat to Cisco IOS XE devices. It exploits CVE-2023-20198 to gain privileged access and can exfiltrate credentials and create backdoor accounts. Because the implant is Lua-based and often uses non-persistent patches, attackers evade simple detection and re-exploit vulnerable devices. Therefore organisations must treat edge device security as a high priority.
Focus on patch management, service hardening, and monitoring to reduce risk. Apply Cisco fixes for affected IOS XE releases and disable ip http server when unnecessary. Use strict ACLs, role based access control, and rotate privileged credentials frequently. In addition, combine configuration audits with log analysis and file integrity checks to detect anomalous changes quickly.
Vigilance should include incident response readiness and user education. Reboots can remove the implant, but follow-up remediation prevents re-infection. Velocity Plugins builds AI driven WooCommerce plugins that improve user experience and reduce support load. As a result, products like Velocity Chat indirectly support security by lowering human error. They also free teams to focus on critical device hardening.
Frequently Asked Questions about BADCANDY web shell
What is the BADCANDY web shell?
BADCANDY web shell is a Lua based implant targeting Cisco IOS XE web UI. It leverages the CVE-2023-20198 privilege escalation to gain elevated access. Because it uses non-persistent patches, attackers often try to hide signs of compromise.
How does BADCANDY typically infect devices?
Attackers exploit the web UI vulnerability to create privileged accounts and upload Lua scripts. Next, they deploy the web shell, harvest credentials, and sometimes remove traces. In addition, they may re-exploit devices after a reboot.
How can I detect a BADCANDY infection quickly?
Monitor for unusual admin accounts, especially names like cisco_tac_admin or cisco_support. Also, check ip http server and ip http secure-server settings, interface tunnel[number] changes, and unknown Lua files. Use configuration drift tools, file integrity checks, and AAA logs to spot anomalies.
What are immediate remediation steps if a device is compromised?
Rebooting removes the short lived implant, but follow up with credential rotation and patching. Therefore apply Cisco’s fixed releases and disable unneeded HTTP services. Also enforce strict ACLs and perform a full configuration audit.
Who is affected and what is the likely impact?
Edge network devices like Catalyst switches are at risk. ASD has reported hundreds of potentially impacted devices, so service disruption and credential theft are realistic outcomes. As a result, organisations should prioritise hardening and monitoring.
