Cisco IOS XE Exploitation in the Wild – BADCANDY Web Shell Deployed

Attackers are actively exploiting a Cisco IOS XE vulnerability in the wild to deploy the BADCANDY web shell on compromised devices. The exploitation campaign targets internet-facing Cisco routers and switches running vulnerable IOS XE software, using the web shell to establish persistent backdoor access for reconnaissance, lateral movement, and data exfiltration. What's interesting about BADCANDY: it's specifically designed to blend into legitimate Cisco web interface traffic, making detection difficult without deep packet inspection or filesystem integrity monitoring. The web shell provides attackers with command execution capabilities, allowing them to run arbitrary commands, manipulate configurations, and pivot deeper into victim networks. Cisco IOS XE devices are pervasive in enterprise and service provider environments, making this a high-value target for threat actors seeking network-level persistence. The vulnerability being exploited allows unauthenticated attackers to create accounts with privilege level 15 access—full administrative control—on affected systems. Organizations with internet-exposed IOS XE management interfaces face immediate risk if they haven't applied patches or implemented access restrictions.