BADCANDY Web Shell Exploits IOS XE Flaw to Seize Control of Your Network Perimeter

TL;DR — Immediate Actions

• Assume exposure if IOS XE Web UI is/was enabled. The flaw (CVE-2023-20198) lets unauthenticated creation of level-15 admin; attackers then drop the BADCANDY shell. 
• Reboot + patch + harden: The implant is non-persistent across reboots, but attackers often add other persistence. Patch and lock down HTTP(S) Web UI now. 
• Hunt indicators & backdoors: Check for rogue priv-15 users (e.g., cisco_tac_admin), unknown tunnel interfaces, suspicious config changes.
• Use the public implant checks (percent-encoding response trick) to detect known BADCANDY variants; then rotate creds/secrets. 

1) What Is BADCANDY & How It Lands

BADCANDY is a Lua-based web shell written onto IOS XE systems after exploiting the Web UI zero-day chain: CVE-2023-20198 (Web UI privilege escalation, CVSS 10) enables creating a level-15 admin user, followed by CVE-2023-20273 (command injection) to write the implant and achieve root-level command execution. 

Government guidance in Oct 2025 confirms continued exploitation, with hundreds of still-compromised devices and evidence of re-exploitation where patching and hardening lag. 

2) Affected Devices & Exposure Profile

• Any IOS XE device with the Web UI enabled (via ip http server / ip http secure-server) is at risk: Catalyst, ASR, NCS and others. Internet-exposed UIs are the prime targets. 
• Attack surface persists where orgs disabled the UI after compromise but didn’t patch or rotate credentials/tokens—actors can return. 
• CISA KEV lists parts of the chain as known exploited; treat with highest urgency. 

3) Detection & Verification (Step-By-Step)

3.1 Quick External Check (Known Implant Variants)

Use the Fox-IT implant probe to identify BADCANDY (v1–v3) by sending a crafted percent-encoded request and evaluating the HTTP response behavior. (Do not rely on this alone; absence ≠ clean.) 

3.2 On-Box Triage

• Users & privileges: review for unexpected priv-15 accounts (notably random names or cisco_tac_admin, cisco_support, cisco_sys_manager, or just cisco). Remove if not legitimate. 
• Tunnels: list interface tunnel<n> entries and verify unknown source/destination pairs—often used for post-implant lateral access.
• AAA/TACACS+ accounting: diff configuration changes; alert on privilege escalation and HTTP server toggles. 

3.3 SIEM Queries (Pseudocode)

# New admin account on IOS XE (priv 15)
NetworkDeviceConfig
| where Platform == "IOS-XE" and Event == "UserCreated"
| where Privilege == 15
| summarize cnt = count() by Device, User, bin(Time,1h)

# Web UI enable/disable & config drift
NetworkDeviceConfig
| where Command has_any ("ip http server","ip http secure-server","no ip http server")
| project Device, User, Command, Time

# Suspicious tunnels added
NetworkDeviceConfig
| where Command startswith "interface tunnel"
| project Device, Command, Time

4) Eviction & Hardening Checklist

1. Patch immediately to releases addressing CVE-2023-20198 / 20273 (Cisco advisories enumerate fixed trains). 
2. Disable or restrict Web UI on internet-facing routers/switches; if needed, allowlist management IPs only. (Cisco & ASD emphasize disabling HTTP server to remove the vector.) 
3. Reboot to clear the non-persistent implant, but don’t stop there: rotate creds/keys, remove rogue users, and inspect for backdoors. 
4. Rotate TACACS/Radius secrets, local admin passwords, and any tokens that touched the device while exposed.
5. Harden IOS XE per vendor guide (SSH-only mgmt, AAA with command accounting, secure SNMP, out-of-band mgmt, logging to SIEM). 

5) 30-60-90 Day Perimeter-Hardening Plan

Day 0–30 — Contain & Verify

• Inventory all IOS XE devices; flag any with Web UI ever enabled; run Fox-IT probe and config checks. 
• Patch to fixed trains; disable/allowlist Web UI; reboot to evict implant. 
• Purge rogue users; rotate AAA secrets and local admin credentials; enable full command accounting. 

Day 31–60 — Harden & Monitor

• Adopt “no internet-facing UI” baseline; enforce mgmt via VPN/privileged jump hosts only.
• Ship device logs to SIEM; alert on HTTP server toggles, user adds, tunnel creation.
• Run external attack surface scans weekly for IOS XE mgmt endpoints.

Day 61–90 — Assure & Audit

• Quarterly config drift reviews; zero-trust mgmt network design; emergency break-glass playbook.
• Board KPIs: # devices with Web UI disabled, patch compliance %, rogue-user findings, time-to-remediate.

FAQ

Is BADCANDY still active in 2025?

Yes. National-level guidance (Oct 31 2025) shows ongoing compromises and re-exploitation when patching/hardening lag. 

Does a reboot fully fix the issue?

No. Reboot removes the implant but not the underlying vulnerability or any backdoors/credentials the attacker added. Patch and full hygiene are mandatory.

Which CVEs are involved?

CVE-2023-20198 (Web UI privilege escalation, CVSS 10) and CVE-2023-20273 (command injection used post-access). Both were widely exploited and are referenced across vendor and industry advisories. 

Sources

• ASD/ACSC advisory & PDF: “Don’t take BADCANDY from strangers” (Oct 31, 2025): overview, non-persistence on reboot, hardening actions, Australia stats. 
• Cisco security advisory: Multiple vulnerabilities in IOS XE Web UI; active exploitation and mitigations.
• Cisco Talos analysis: exploitation flow and BADCANDY implant details (Lua, command execution). 
• Fox-IT: public implant detection technique (v1–v3 probes). 
• Rapid7 / Tenable overviews: affected products, risk, enablement via Web UI. 
• CISA KEV: IOS XE chain entries listed as known exploited.

CyberDudeBivash — Services, Apps & Ecosystem

• Edge Device Compromise Assessment (IOS XE BADCANDY triage, config diff, rogue-user cleanup, token/secret rotation)
• Perimeter Hardening Program (no-UI baseline, AAA & command accounting, SIEM detections, jump-host mgmt)
• Threat Hunting & IR (external probe runs, tunnel/egress mapping, re-exploitation watch, tabletop “implant & extortion”)

Apps & Products · Consulting & Services · ThreatWire Newsletter · CyberBivash (Threat Intel) · News Portal · CryptoBivash