The Australian government is alerting the public about ongoing cyberattacks targeting unpatched Cisco IOS XE devices. Attackers exploit a severe vulnerability, CVE-2023-20198, which allows them to create a local admin user via the web interface, effectively taking control of the devices. This flaw was patched by Cisco in October 2023, but a public exploit emerged shortly after, leading to widespread attacks aimed at planting the BadCandy webshell on vulnerable routers. Despite the patch, the Australian Signals Directorate (ASD) reports that over 400 devices may have been compromised by BadCandy since July 2025, with more than 150 still infected as of late October 2025. The webshell gives remote attackers root access, and while it gets wiped upon device reboot, the lack of a patch makes it easy for attackers to reinfect the devices. The ASD has noted that even after notifying breach victims, some devices are targeted again due to attackers detecting when the webshell is removed. The agency links the rise in BadCandy infections to state-sponsored actors, including a group known as "Salt Typhoon" from China, which has previously attacked major telecommunications providers in North America. In response, the ASD is sending notifications to affected device owners with instructions on patching and enhancing security. They are also coordinating with internet service providers to reach out to victims whose device ownership is unclear. Cisco has released a hardening guide for IOS XE devices to help administrators mitigate these risks.