Active Threat: Immediate Action Required
The Australian Signals Directorate (ASD) is warning of active cyber attacks targeting unpatched Cisco IOS XE devices across Australia using a previously undocumented implant called BadCandy. The vulnerability has a perfect CVSS score of 10.0.
Executive Summary
November 2025 has brought a new wave of sophisticated attacks targeting Australian network infrastructure. The Australian Signals Directorate's Australian Cyber Security Centre (ACSC) has issued an urgent warning about BadCandy, a previously undocumented malware implant specifically designed to compromise Cisco IOS XE devices.
The attacks exploit a critical vulnerability with a perfect CVSS score of 10.0, allowing unauthenticated attackers to create accounts with elevated privileges and establish persistent backdoor access. Australian organizations across critical infrastructure, healthcare, education, and enterprise sectors are confirmed targets.
This represents one of the most serious threats to Australian network security in 2025, with the potential to affect thousands of organizations running vulnerable Cisco equipment.
The BadCandy Threat
Cisco IOS XE Authentication Bypass
What Makes This a Perfect 10.0?
A CVSS score of 10.0 represents the most severe classification possible. BadCandy achieves this because it combines:
- No authentication required - Attackers need no credentials to exploit
- Network-based exploitation - Can be exploited remotely over the internet
- Complete system compromise - Grants full administrative control
- No user interaction - Exploitation is fully automated
- Persistent implant - Survives reboots and remains hidden
Technical Characteristics
BadCandy is a sophisticated backdoor implant with several concerning capabilities:
Deployment Method
- Exploits web UI authentication bypass in Cisco IOS XE
- Automatically deploys without user interaction
- Leverages existing system processes to hide presence
- Integrates into IOS XE file system for persistence
Capabilities
- Account Creation: Creates hidden administrative accounts
- Privilege Escalation: Grants Level 15 (highest) access
- Traffic Interception: Can monitor and modify network traffic
- Configuration Changes: Modifies device configurations covertly
- Lateral Movement: Uses compromised device as pivot point
- Persistence: Survives software updates and reboots
Stealth Features
- Minimal footprint in system logs
- Mimics legitimate system processes
- Hidden account creation that doesn't appear in standard user lists
- Traffic obfuscation to avoid IDS/IPS detection
Australian Impact and Targeting
Scale of Exposure
Analysis of internet-facing Cisco IOS XE devices in Australia reveals significant exposure:
Targeted Sectors
ASD has identified active targeting across multiple critical sectors:
Critical Infrastructure
- Energy providers (electricity, gas distribution)
- Water treatment and distribution facilities
- Transportation networks (rail, ports)
- Telecommunications carriers
Impact: Potential for service disruption affecting millions of Australians
Healthcare
- Major metropolitan hospitals
- Regional health networks
- Pathology and diagnostic services
- Private healthcare providers
Impact: Patient data exposure and potential disruption to critical medical services
Education
- Universities (Go8 and regional institutions)
- TAFE and vocational training
- Large secondary schools
- Education departments (state and territory)
Impact: Student and staff data compromise, research IP theft
Government
- State and territory agencies
- Local government councils
- Statutory authorities
- Government-owned corporations
Impact: Sensitive government data exposure, potential espionage
Enterprise
- ASX-listed companies
- Financial services firms
- Legal practices
- Large manufacturing operations
Impact: Corporate espionage, customer data theft, financial fraud
Attack Methodology
Phase 1: Discovery
- Internet-Wide Scanning
- Attackers scan for Cisco IOS XE web UI (typically port 443)
- Automated tools identify vulnerable versions
- Australian IP ranges specifically targeted
- Focus on high-value sectors based on reverse DNS
Phase 2: Initial Exploitation
- Authentication Bypass
- Exploit sent to web UI endpoint
- Bypass creates temporary elevated access
- No credentials or user interaction required
- Exploitation completes in seconds
Phase 3: Implant Deployment
- BadCandy Installation
- Malware uploaded to device file system
- Persistence mechanisms activated
- Hidden administrative account created
- Backdoor listeners established
Phase 4: Post-Exploitation
- Reconnaissance and Lateral Movement
- Network mapping from compromised device
- Credential harvesting from network traffic
- Identification of high-value targets
- Movement to internal systems
Phase 5: Objectives
- Mission Execution
- Data exfiltration (intellectual property, customer data)
- Persistent surveillance and monitoring
- Preparation for destructive attacks
- Establishment of long-term access for espionage
Detection and Indicators of Compromise
Network-Level Indicators
Suspicious Traffic Patterns
- Unusual outbound connections from network devices
- Unexpected HTTP/HTTPS traffic from router/switch management interfaces
- Connections to known malicious IPs (see ASD advisory for IOCs)
- Data exfiltration during off-hours
- DNS queries for suspicious domains
Device-Level Indicators
Check for BadCandy Presence
- Unknown user accounts with privilege level 15
- Unexpected files in flash: or bootflash: directories
- Modified startup or running configurations
- Unexplained CPU or memory usage
- Log entries showing authentication from unknown IPs
Detection Commands
Cisco IOS XE CLI Checks
# Check for suspicious user accounts
show running-config | include username
# Review web UI access logs
show logging | include HTTP
# Check for unexpected files
dir flash:
dir bootflash:
# Review active connections
show ip sockets
# Check for privilege level 15 users
show privilege
ASD Detection Tools
The ACSC has released detection scripts available at cyber.gov.au that can:
- Scan devices for BadCandy indicators
- Check configuration integrity
- Identify unauthorized accounts
- Generate comprehensive security reports
Immediate Remediation Steps
Critical Actions (Complete Within 48 Hours)
Short-Term Actions (Complete Within 7 Days)
Long-Term Security Improvements
Attribution and Threat Actor Analysis
Who's Behind BadCandy?
While ASD has not publicly attributed BadCandy to a specific threat actor, the sophistication and targeting suggest characteristics consistent with state-sponsored operations:
Indicators of Advanced Persistent Threat (APT)
- Zero-day exploitation: BadCandy leveraged a previously unknown vulnerability
- Targeted campaigns: Specific focus on Australian critical infrastructure
- Sophisticated malware: Advanced persistence and stealth capabilities
- Strategic objectives: Long-term access rather than immediate financial gain
- Professional development: Custom-built implant showing significant resources
Possible Threat Actor Profiles
Based on tactics, techniques, and procedures (TTPs), potential attribution includes:
- Chinese APT Groups: Historical targeting of Australian critical infrastructure and Five Eyes partners
- Russian State-Sponsored: Recent increase in activity against Western network infrastructure
- Iranian Actors: Growing sophistication in network device targeting
- Emerging Threat Groups: Previously unknown actors with advanced capabilities
Strategic Implications
The BadCandy campaign represents more than opportunistic hacking:
- Pre-positioning: Establishing access for future operations
- Intelligence gathering: Long-term surveillance of Australian organizations
- Potential for disruption: Capability to cause widespread network outages
- Geopolitical tensions: Timing coincides with regional security concerns
Lessons for Australian Organizations
1. Network Devices Are Critical Attack Surfaces
Organizations often focus on endpoint and server security while neglecting network infrastructure:
- Routers and switches are often unpatched
- Management interfaces exposed to the internet
- Weak or default credentials in use
- Limited monitoring and logging
- Treated as "set and forget" infrastructure
2. Perfect CVSS Scores Demand Immediate Response
A 10.0 vulnerability requires drop-everything response:
- Patch within 48 hours or isolate affected systems
- Assume exploitation attempts are already occurring
- Conduct immediate threat hunting
- Prepare incident response procedures
3. Defence in Depth Is Essential
No single security control can prevent all attacks:
- Segment management networks from production
- Implement network access control
- Deploy intrusion detection systems
- Monitor for anomalous device behavior
- Maintain offline backups of configurations
4. Vendor Security Advisories Are Critical
Organizations must monitor and act on security advisories:
- Subscribe to vendor security mailing lists
- Establish processes for rapid patch assessment
- Maintain asset inventory for quick identification
- Test patches in lab before production deployment
5. Government Warnings Require Action
When ASD issues warnings, threat is real and active:
- ASD warnings are based on observed attacks
- Threats are targeting Australian organizations specifically
- Delayed response increases likelihood of compromise
- Reporting suspected incidents helps protect others
Resources and Support
Official Australian Government Resources
- ACSC BadCandy Advisory: cyber.gov.au
- Report Cyber Incidents: cyber.gov.au/report
- 24/7 Cyber Hotline: 1300 CYBER1 (1300 292 371)
- ACSC Partnership Program: For critical infrastructure operators
Cisco Resources
- Security Advisory: Cisco Security Response Center
- Patches and Updates: software.cisco.com
- Cisco TAC: Technical assistance for customers
Third-Party Detection Tools
- ACSC-provided BadCandy detection scripts
- Cisco IOS XE integrity verification tools
- Network monitoring platforms with Cisco device support
Conclusion: A Wake-Up Call for Australian Cybersecurity
The BadCandy campaign represents one of the most serious cyber threats to face Australian organizations in 2025. A perfect 10.0 vulnerability being actively exploited against critical infrastructure is a scenario that demands immediate, decisive action.
For Australian organizations running Cisco IOS XE devices, the question is not whether to act, but how quickly. Every hour of delay increases the risk of compromise. Every unpatched device is a potential foothold for sophisticated adversaries.
This incident should also serve as a broader wake-up call. Network infrastructure cannot be treated as passive background systems. They are active targets for nation-state actors seeking to establish persistent access to Australian networks.
Organizations that respond swiftly to patch and harden their Cisco devices will mitigate immediate risk. But the long-term lesson is clear: network device security must be elevated to the same priority as endpoint and server security. In an era of sophisticated nation-state cyber operations, every component of your infrastructure is a potential attack surface.
The ASD has provided clear guidance. Cisco has released patches. The threat is active. The time to act is now.
Need Urgent Security Assistance?
Australian organizations needing immediate help securing their network infrastructure can access expert cybersecurity services and incident response support.
Find Security Partners