Attackers continue to plant a Lua-based web shell called BADCANDY on internet-exposed Cisco IOS XE devices. They exploit the IOS XE web UI flaw tracked as CVE-2023-20198, regain access after superficial cleanup, and abuse privileged accounts to persist. Because exposure and patch gaps remain common, some organizations see repeat compromise within hours. Therefore, defenders need a durable plan: close exposure, apply fixed releases, rotate credentials, and verify eradication with targeted checks.
WHAT BADCANDY IS AND HOW IT LANDS
BADCANDY functions as an HTTP-reachable web shell that adversaries deploy after exploiting the IOS XE web management interface. After exploitation, the intruder escalates to privilege 15, creates high-privilege local users, and drops the shell for command execution. In practice, a simple reboot clears volatile artifacts yet changes nothing fundamental; the vulnerability still exists, the web UI still faces the internet, and the attacker returns. As a result, devices that remain unpatched and exposed get re-implanted quickly. Moreover, campaign activity has stretched from late 2023 through 2025, which signals a persistent exposure problem rather than a single wave.
WHY DEVICES KEEP GETTING RE-INFECTED
Re-infection happens because two conditions persist: public management exposure and missing fixes. First, the web UI remains reachable from the internet, so scanning leads attackers straight to the device. Second, the software stays vulnerable, which makes exploitation trivial. Additionally, attackers monitor the edge and probe regularly; when they notice the shell or an account disappears, they trigger the exploit again and re-establish control. Consequently, “remove and reboot” never counts as recovery. Instead, durable remediation requires upgrading to a fixed release, restricting or disabling the web UI on public interfaces, and rotating all credentials that could grant administrative access.
ATTACK CHAIN AND TTPs
The sequence follows a pattern defenders can anticipate. Initially, the adversary scans for IOS XE systems with the web UI exposed. Next, the actor hits the CVE-2023-20198 path to gain unauthenticated, high-privilege access. Then, the intruder creates local privilege 15 users and deploys the BADCANDY Lua shell. Afterward, the attacker may introduce tunnel interfaces, modify AAA to reduce logging, or stage additional changes that ease future access. Finally, if a defender removes the implant without fixing exposure and software, the adversary repeats the exploit and restores the shell. Conceptually, the chain aligns with ingress tool transfer and web shell tactics, and it exploits the management plane rather than the data plane.
INDICATORS AND WHAT TO HUNT: Cisco IOS XE web shell
Effective hunting focuses on accounts, config drift, and management traffic. To start, audit for new or unexpected privilege 15 users, including names that mimic support functions. Furthermore, review AAA/TACACS+ command accounting for privilege changes, unusual configuration commands, and gaps in expected audit events. Next, examine the running configuration for unknown tunnel interfaces, altered HTTP server settings, or management plane exposure that reappeared after previous cleanup. In parallel, check edge logs for web UI access from rare IP ranges, recurring probes, and request patterns that match known BADCANDY behavior. Finally, compare current device responses to documented fingerprints from researchers so you can confirm eradication objectively.
IMMEDIATE CONTAINMENT AND ERADICATION
A durable cleanup follows a strict order. First, remove unknown users and disable suspicious tunnel interfaces. Second, apply the vendor’s fixed releases that address CVE-2023-20198; treat this as non-negotiable. Third, disable or tightly restrict the web UI, and prefer out-of-band management. Fourth, rotate local device credentials, TACACS+/RADIUS secrets, API keys, and any credentials stored on integrated management systems. Fifth, validate the running configuration against a known-good baseline and capture a signed copy for evidence. Sixth, run external probes from outside the network to confirm the management interface no longer responds on public paths. Finally, monitor for renewed exploit attempts for several days so you can prove the fix holds.
HARDENING THE EDGE FOR THE LONG TERM
Long-term resilience depends on exposure discipline. Therefore, block the web management plane from the internet by default and restrict admin access to an out-of-band network with MFA. Additionally, inventory IOS XE versions and enforce patch SLAs that reflect edge criticality. Because drift undermines promises, track configuration changes and alert on reappearance of the web UI or HTTP services at the edge. Moreover, require change tickets for any temporary management exposure and expire exceptions automatically. To verify controls, schedule recurring external scans that look for the web UI and related endpoints, and fail closed if exposure returns. Finally, adopt short-lived admin credentials, centralize authentication, and retain audit logs long enough to reconstruct edge timelines after an incident.
BUSINESS RISK AND REPORTING
Compromised routers give attackers leverage over critical traffic paths. Consequently, adversaries can intercept or reroute flows, degrade integrity of logs, and pivot toward internal systems that trust the edge. Because network infrastructure counts as sensitive, many organizations face regulatory reporting obligations when devices get taken over. Therefore, executives need clear metrics: the count of internet-facing management interfaces, median time to patch, number of devices with clean configuration diffs after remediation, and the volume of blocked re-exploitation attempts. With those numbers visible, leadership can set deadlines and track actual risk reduction rather than rely on status claims.
HOW TEAMS SLIP AND HOW TO AVOID IT
Teams often miss small but decisive details. For example, they patch the main cluster yet leave remote branches unchanged. Likewise, they restrict the web UI at the firewall while a NAT rule leaks access from a legacy range. In other cases, they rotate local credentials but forget TACACS+ shared secrets that grant indirect admin access. To avoid these gaps, run a “two-person integrity” check for every remediation, and include branches, lab gear, and partner-managed sites. Additionally, store a golden configuration and compare post-change output line by line. Because attackers probe relentlessly, a single oversight invites a new foothold.
PLAYBOOK CHECKS YOU CAN AUTOMATE
Automation raises assurance without slowing teams down. Start with a scheduled scan that confirms the web UI never answers externally. Then trigger a configuration diff weekly and alert when HTTP services or management ACLs change. Next, extract privilege 15 user lists and compare them against an allowlist. Moreover, parse TACACS+ logs for admin commands executed outside maintenance windows. Finally, pipe edge events to your SIEM and create a simple sequence rule: exploit-like HTTP hits followed by configuration changes or user creation. When that rule fires, responders can act before the shell appears again.
