The Australian government is alerting about ongoing cyberattacks exploiting a severe vulnerability in unpatched Cisco IOS XE devices. Attackers are using the BadCandy webshell to gain control, with over 150 devices still compromised as of late October 2025. The Australian Signals Directorate is notifying affected users and urging prompt patching.

Hackers have exploited a remote code execution vulnerability (CVE-2025-20352) in Cisco networking devices to deploy rootkits targeting unprotected Linux systems. The attacks, tracked as 'Operation Zero Disco', involved the use of compromised Cisco devices to manipulate logs and network configurations, posing significant risks even to newer switches due to persistent targeting. Currently, there are no reliable tools to detect these compromises, making low-level investigations essential for suspected breaches.

Cisco has addressed a critical security vulnerability (CVE-2025-20309) in its Unified Communications Manager software, which allowed unauthenticated remote access due to static root account credentials that cannot be changed or deleted. The flaw was discovered during internal testing, and affected users are advised to update their systems or apply a provided patch, as exploitation indicators have been identified in system logs.

Technical details of a high-severity flaw in Cisco IOS XE WLC, identified as CVE-2025-20188, have been released, allowing potential exploitation by attackers. The vulnerability stems from a hard-coded JWT that enables unauthenticated file uploads and command execution on affected devices. Users are urged to upgrade to patched versions or disable the vulnerable feature immediately to mitigate risks.