Urgent Warning for Australian Businesses Using Cisco Network Equipment
The Australian Cyber Security Centre (ACSC) has released a critical advisory warning that cyber actors are installing a malware implant dubbed “BADCANDY” on Cisco IOS XE devices vulnerable to CVE-2023-20198 Cyber.gov.au.
As of late October 2025, over 150 devices in Australia remain compromised The Cyber Express – a concerning statistic considering patches have been available for two years.
What is BADCANDY?
BADCANDY is a Lua-based web shell that allows attackers to execute commands with root privileges on compromised Cisco routers and switches. While the implant doesn’t survive device reboots, threat actors often gain credentials or establish additional persistence methods Cyber.gov.au.
Key Threat Indicators:
- First observed in October 2023 with renewed activity throughout 2024 and 2025 Cyber.gov.au
- Over 400 Australian devices were initially compromised, with numbers declining but remaining significant The Cyber Express
- Attackers can detect when BADCANDY is removed and quickly re-exploit unpatched devices Cyber.gov.au
Why This Matters for Your Business
CVE-2023-20198 carries a maximum CVSS severity score of 10.0, allowing remote, unauthenticated attackers to create accounts with full administrator access on affected systems The Cyber Express.
Business Impact:
- Complete compromise of network infrastructure
- Potential data breaches and compliance violations
- Reputational damage from security incidents
- Business continuity disruption
Which Businesses Are At Risk?
Any Australian organisation using Cisco IOS XE Software with the web user interface enabled is potentially vulnerable. This particularly affects:
✓ Small to medium businesses with limited IT security resources ✓ Organisations with delayed patch management practices ✓ Companies without continuous network monitoring ✓ Businesses assuming they’re “too small” to be targeted
Immediate Actions Required
1. Identify Vulnerable Systems Check if your organisation uses Cisco IOS XE routers or switches with web UI enabled.
2. Apply Security Patches Install updates addressing CVE-2023-20198 and CVE-2023-20273 immediately.
3. Reboot Affected Devices Restart devices to remove the non-persistent BADCANDY implant Cyber.gov.au.
4. Audit User Accounts Review configurations for unauthorized administrator-level accounts.
5. Harden Systems Disable the HTTP server feature if the web interface isn’t operationally necessary.
How Netcomp Solutions Can Help
As a leading Managed Services Provider serving Brisbane, Gold Coast, and businesses across Australia, Netcomp Solutions provides comprehensive protection against threats like BADCANDY:
🔒 Immediate Incident Response
- Rapid vulnerability assessment
- Emergency patch deployment
- Comprehensive compromise audits
- Secure configuration implementation
🛡️ Ongoing Protection
- Proactive threat monitoring
- Systematic patch management
- Regular security audits
- 24/7 network surveillance
📊 Strategic Security Planning
- Cybersecurity framework alignment
- Compliance support
- Risk assessment and mitigation
- Staff security awareness training
Don’t Wait Until It’s Too Late
The ACSC advisory emphasises that organisations must patch against CVE-2023-20198 to prevent re-exploitation Cyber.gov.au. With threat actors actively scanning for vulnerable devices, every day of delay increases your risk.
Contact Netcomp Solutions today for a complimentary security assessment.
📞 Phone: 1300 363 127
📧 Email: info@netcomp.com.au
🌐 Web: www.netcomp.com.au
Additional Resources
🔗 Full ACSC Advisory: https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/badcandy
🔗 Report Cybercrime: https://www.cyber.gov.au/report
Netcomp Solutions is a trusted Managed Services Provider delivering comprehensive IT security and support to businesses throughout Brisbane, Gold Coast, and Australia. Contact us today to strengthen your cybersecurity posture.
