Cisco IOS XE BADCANDY - Re-Exploitation After Implant Removal

Australia's Signals Directorate warns that BADCANDY operators are watching you delete their implant—and they immediately re-exploit the device. What's clever: actors scan for unpatched Cisco IOS XE devices vulnerable to CVE-2023-20198 (CVSS 10.0), exploit the web UI to gain level-15 control, then deploy BADCANDY for persistent command execution that blends into normal management traffic. The nasty part: rebooting removes BADCANDY temporarily, but ASD believes threat actors detect the removal and re-exploit the same vulnerability within hours. The implant gives attackers durable access to network edge gear with full visibility into internal traffic flows—perfect for reconnaissance, lateral movement, and credential harvesting. CVE-2023-20198 is a 2023 bug that Salt Typhoon gang loves using. What's notable: this is a classic case where patching is non-negotiable—reboots and cleanups don't fix the underlying vulnerability, they just alert the attacker that you noticed. Enterprises with internet-facing IOS XE management interfaces should assume compromise if unpatched and verify device integrity, credential rotation, and configuration archives.