BADCANDY Implant Targets Cisco IOS XE Devices (CVE-2023-20198)

Overview

Threat actors are deploying a malicious implant dubbed BADCANDY on Cisco IOS XE devices vulnerable to CVE-2023-20198, a previously exploited privilege-escalation flaw that allows unauthenticated attackers to gain full administrative access. Since its discovery in October 2023, BADCANDY has resurfaced in multiple attack waves through 2024 and into 2025, indicating ongoing exploitation of unpatched or misconfigured systems exposed to the Internet.

Background on CVE-2023-20198

CVE-2023-20198 affects Cisco IOS XE devices with the web UI feature enabled. The vulnerability allows remote attackers to create high-privilege accounts without authentication, effectively granting full control over the device. Cisco released patches and mitigation guidance in late 2023, but thousands of unpatched routers and switches remain accessible, making them prime targets for continued exploitation.

About the BADCANDY Implant

The BADCANDY implant is a persistent webshell-like component injected into the system’s web UI files. It provides post-exploitation functionality such as command execution, configuration changes, and backdoor access — even if the unauthorized admin account used for initial compromise is later removed.

• Persistence: The implant modifies legitimate web UI scripts and can survive reboots or account resets.
• Access method: Attackers interact with the implant through crafted HTTP requests using encoded parameters.
• Command execution: Supports device command execution via the web interface without authentication.
• Variants: Multiple versions have been observed, suggesting active refinement by separate threat clusters.

Observed Campaigns (2023–2025)

• Initial activity: First identified in October 2023 by multiple security researchers investigating unexplained administrative account creation on Cisco IOS XE systems.
• 2024 resurgence: Repeated infections seen across enterprise and government networks; indicators of multiple actor groups leveraging the same base implant.
• 2025 activity: Renewed exploitation campaigns observed targeting devices left unpatched or restored from vulnerable backups.

Technical Details

Once installed, BADCANDY modifies webserver components on the IOS XE filesystem. The implant communicates via the device’s HTTPS management port and uses parameters such as content and locale to deliver encoded commands. Analysis of captured payloads indicates that attackers can issue arbitrary CLI commands, collect configuration files, and potentially pivot deeper into the network.

Example HTTP Request Pattern

POST /webui/logoutconfirm.html?logon_hash=12345 HTTP/1.1
Host: <target-device>
Content-Type: application/x-www-form-urlencoded
Content-Length: 120

locale=en&content=show+running-config

Indicators of Compromise

• Unexpected files in flash:/ios_webui/ or flash:/webui/ directories.
• Presence of unauthorized local accounts with privilege 15 access.
• HTTP POST requests to /webui/logoutconfirm.html containing suspicious parameters (locale, content).
• Configuration changes or log entries occurring outside normal administrative windows.
• Unexplained CPU or memory spikes on the device.

Detection Guidance

Administrators can check for BADCANDY presence using command-line inspection or file integrity verification. Look for modified web UI pages or unknown code blocks appended to legitimate scripts.

Example CLI Checks

dir flash:/ios_webui/
more flash:/ios_webui/logoutconfirm.html
show running-config | include username

Security teams should also monitor HTTP logs for requests referencing logoutconfirm.html or locale parameters, especially from unknown IP addresses.

Recommended Mitigations

1. Patch immediately: Upgrade to the latest Cisco IOS XE releases that address CVE-2023-20198.
2. Disable web UI (HTTP/HTTPS) access: If not operationally required, disable remote management on port 443.
3. Audit local accounts: Remove unauthorized admin users and enforce strong password policies.
4. Verify system integrity: Compare web UI files against known-good images and reinstall firmware if tampering is detected.
5. Monitor network traffic: Inspect outbound HTTPS requests from Cisco devices for anomalous connections or encoded payloads.
6. Segment management interfaces: Restrict access to trusted management networks only.

Hunting Queries (SIEM/Sentinel Example)

// Identify suspicious HTTP requests to webui pages on network devices
DeviceNetworkEvents
| where RemoteUrl contains "logoutconfirm.html"
| where UrlParameters contains "locale" or UrlParameters contains "content"
| summarize count() by DeviceName, RemoteIP, bin(Timestamp, 1h)

// Detect unauthorized Cisco admin account creation
DeviceProcessEvents
| where FileName == "iosd"
| where ProcessCommandLine contains "username" and ProcessCommandLine contains "privilege 15"

Why This Matters

The re-emergence of BADCANDY demonstrates the long-tail impact of unpatched network infrastructure. Even after the disclosure of CVE-2023-20198, thousands of Cisco IOS XE devices remain Internet-reachable with the vulnerable web UI feature active. Attackers are exploiting these systems not only for persistence and reconnaissance but also as potential footholds for broader lateral movement across enterprise and government networks.

What Organizations Should Do Now

• Immediately audit all Cisco IOS XE systems for signs of compromise.
• Apply Cisco’s official security updates and verify firmware integrity.
• Implement strict network segmentation for management interfaces.
• Continuously monitor logs for suspicious HTTP POST activity or unauthorized config changes.
• Report confirmed infections to Cisco PSIRT and national CERT authorities.

Editor’s Note: This report summarizes ongoing post-exploitation activity linked to CVE-2023-20198. Organizations should assume that unpatched Cisco IOS XE devices are high-value targets and act urgently to verify patch levels, remove implants, and rebuild affected systems from clean images.