Back

14,000+ Cisco routers infected with BadCandy backdoor

Publication date: 2025-11-05
NEWS

TL;DR

  • Scope: ~14,000+ Cisco IOS XE routers & switches worldwide remain infected with the BadCandy Lua web shell. Peak scans recently reported ~18,000; 129 in the Netherlands.
  • Root cause: exploitation of CVE-2023-20198 (Web UI) to create privilege-15 accounts; some campaigns chain a second bug to run commands.
  • Behavior: the implant is non-persistent (reboot clears it) but actors often “patch” the vulnerable web page and keep access via stolen credentials—so reinfection remains common.
  • Quick action: disable external Web UI, patch IOS XE to Cisco’s fixed releases, reboot, rotate credentials, hunt for unknown admin users.
  • Annotated CVE: https://basefortify.eu/cve_reports/2023/10/cve-2023-20198.html

 

What is BadCandy?

BadCandy is a small Lua-based web shell dropped into the IOS XE web interface after an unauthenticated exploit of CVE-2023-20198, which allows creation of a privilege-15 account. Once on a device, actors commonly:

  • create a local admin user (privilege-15),
  • modify the web UI to hide the exploit vector,
  • harvest or reuse credentials so they can return even after a reboot.

For a deeper technical breakdown see our annotated CVE report:
CVE-2023-20198 — Annotated Report

 

Hands-on checks

Only test or run commands on devices you own/manage.

  1. Can the Web UI be reached from the internet?
    From a host outside your network try opening: https://your.device.ip/ (replace with your public IP).
    If the GUI responds on ports 80/443, that device’s management interface is internet-exposed — treat it as high risk.
  2. Quick config checks on IOS XE
    • Is the HTTP(S) server enabled? 
      show running-config | include ip http
      If you see ip http server or ip http secure-server the device hosts a Web UI.
    • Any unexpected local admins? 
      show running-config | include username
      Look for unknown accounts or accounts with privilege 15.
    • Check AAA and remote auth for suspicious changes: 
      show running-config | include aaa
  3. Confirm software level
    Compare show version output to Cisco’s fixed releases for CVE-2023-20198. If your IOS XE build predates the fix, plan upgrades immediately.
  4. Look for implant indicators (defender techniques)
    • Unusual HTTP responses or requests to odd paths on the web UI.
    • Unexpected configuration changes (new users, re-enabled HTTP servers) in syslogs.
    • Shadowserver / CERT notifications for your IP space (often tagged badcandy or device-implant).

 

Mitigation checklist

1) Isolate / reduce exposure

  • Block inbound 80/443 to network gear at the perimeter unless strictly required.
  • Restrict the management plane to a trusted management VLAN, VPN, or out-of-band network.

2) Disable Web UI (immediate, defensive)

On IOS XE:

configure terminal
no ip http server
no ip http secure-server
end
write memory

Confirm with:

show running-config | include ip http

3) Patch & reboot

  • Upgrade to Cisco’s patched IOS XE build documented in their advisory (see references).
  • Reboot the device to clear non-persistent implants.

4) Credential hygiene

  • Rotate all local admin passwords and any shared TACACS/RADIUS secrets.
  • Remove unknown username entries and disable local accounts where central auth is available:
username badactor privilege 15 secret 0 <new-secret>
no username badactor

5) Hunt & verify

  • Review logs for admin creation timestamps and web UI activity.
  • Check for persistence mechanisms beyond the web shell (scheduled tasks, scripts, exported configs).
  • If compromise is suspected and integrity can’t be guaranteed, consider a clean re-provision.

6) Subscribe to alerts

  • Shadowserver sends owner notifications for infected IP ranges (e.g., tagged badcandy/device-implant). Ensure your abuse contact/WHOIS is up-to-date.

 

Detection tips for monitoring & IDS

  • Alert when ip http server / ip http secure-server is enabled on border devices.
  • Watch for new privilege 15 local users or sudden changes to AAA config.
  • Use simple HTTP/HTTPS probes (against your own devices) to detect abnormal responses from device web pages.
  • Feed Shadowserver/CSIRT notifications into your incident workflow.

 

How BaseFortify helps

  • Inventory & version tracking: add routers/switches as nodes; BaseFortify matches reported OS strings to CPEs and flags critical CVEs.
  • Annotated CVE linkage: our CVE pages contain exploit context, fixed releases, and remediation steps: CVE-2023-20198 — Annotated Report.
  • Prioritization: high-severity network management bugs surface at the top of the threats view so you can act quickly.

Want to get ahead of threats like these? You can register for BaseFortify and start mapping your own assets and risks at:
https://basefortify.eu/register

 

Final notes

BadCandy shows how simple misconfiguration (internet-exposed management) plus unpatched devices create long tails of risk. For SMBs, the most effective defenses are: remove internet access to management interfaces; patch; reboot to clear non-persistent implants; rotate credentials; and add detection rules for new admin accounts or HTTP server re-enablement.

 

References

  1. Security.nl coverage (Dutch): Ruim 14.000 Cisco-routers geïnfecteerd met Badcandy-backdoor .
  2. BaseFortify annotated report: CVE-2023-20198 — IOS XE Web UI privilege escalation (analysis & remediation) .
  3. Cisco PSIRT advisory for CVE-2023-20198 (IOS XE Web UI privilege escalation) — see Cisco Security Advisories portal.
  4. Cisco Talos write-ups on BadCandy web-shell variants (technical behavior and indicators).
  5. Shadowserver telemetry & notifications on infected IOS XE devices (BadCandy / device-implant tags).
  6. National cyber authority advisories (e.g., ACSC/ASD) on ongoing BadCandy activity and non-persistent implant behavior.