CyberVeille.chNov 4
📱 Alerte ASD: l’implant BADCANDY exploite CVE‑2023‑20198 sur Cisco IOS XE
📝 Source et contexte: cyber.gov.au (Australian Government/ASD) publie une alerte sur l’implant « BADCANDY » observĂ© depuis octobre 2023, avec un...
📖 cyberveille : https://cyberveille.ch/posts/2025-11-04-alerte-asd-limplant-badcandy-exploite-cve-2023-20198-sur-cisco-ios-xe/
🌐 source : https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/badcandy
#BADCANDY #CVE_2023_20198 #Cyberveille
Alerte ASD: l’implant BADCANDY exploite CVE‑2023‑20198 sur Cisco IOS XE

Source et contexte: cyber.gov.au (Australian Government/ASD) publie une alerte sur l’implant « BADCANDY » observĂ© depuis octobre 2023, avec une activitĂ© renouvelĂ©e en 2024‑2025, ciblant des Ă©quipements Cisco IOS XE vulnĂ©rables Ă  CVE‑2023‑20198. ⚠ L’ASD dĂ©crit BADCANDY comme un web shell Lua « low equity » installĂ© aprĂšs exploitation de l’interface Web (UI) de Cisco IOS XE. Les acteurs appliquent souvent un patch non persistant post‑compromission pour masquer l’état de vulnĂ©rabilitĂ© liĂ© Ă  CVE‑2023‑20198. La prĂ©sence de BADCANDY indique une compromission via cette faille. L’implant ne persiste pas aprĂšs redĂ©marrage, mais des accĂšs peuvent perdurer si des identifiants ou d’autres mĂ©canismes de persistance ont Ă©tĂ© acquis; le correctif de CVE‑2023‑20198 doit ĂȘtre appliquĂ© et l’accĂšs Ă  l’UI Web restreint.

CyberVeille
CyberVeille.chAug 29, 2025
📱 Alerte conjointe internationale: des APT chinois compromettent des routeurs et opĂ©rateurs pour un espionnage mondial
📝 Source et contexte — Alerte conjointe (NSA, CISA, FBI, DC3, AS...
📖 cyberveille : https://cyberveille.ch/posts/2025-08-29-alerte-conjointe-internationale-des-apt-chinois-compromettent-des-routeurs-et-operateurs-pour-un-espionnage-mondial/
🌐 source : https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a
#APT_chinois #CVE_2023_20198 #Cyberveille
Alerte conjointe internationale: des APT chinois compromettent des routeurs et opérateurs pour un espionnage mondial

Source et contexte — Alerte conjointe (NSA, CISA, FBI, DC3, ASD/ACSC, CCCS/CSIS, NCSC‑NZ, NCSC‑UK, NÚKIB, SUPO, BND/BfV/BSI, AISE/AISI, Japon NCO/NPA, MIVD/AIVD, SKW/AW, CNI) publiĂ©e en aoĂ»t 2025, TLP:CLEAR. Elle dĂ©crit une campagne d’espionnage conduite par des APT chinoises visant des rĂ©seaux mondiaux (tĂ©lĂ©coms, gouvernement, transport, hĂŽtellerie, militaire), avec un fort accent sur les routeurs backbone/PE/CE et la persistance de long terme. Les activitĂ©s se recoupent avec Salt Typhoon, OPERATOR PANDA, RedMike, UNC5807, GhostEmperor.

CyberVeille
The Threat CodexFeb 27, 2025
GreyNoise Detects Active Exploitation of CVEs Mentioned in Black Basta’s Leaked Chat Logs
#BlackBastaGroup #CVE_2023_6875 #CVE_2024_3400 #CVE_2024_27198 #CVE_2024_24919 #CVE_2024_23897 #CVE_2024_1709 #CVE_2023_4966 #CVE_2023_42793 #CVE_2023_36845 #CVE_2023_36844 #CVE_2023_29357 #CVE_2023_22515 #CVE_2023_20198 #CVE_2022_41082 #CVE_2022_41040 #CVE_2022_37042 #CVE_2022_30525 #CVE_2022_27925 #CVE_2022_26134 #CVE_2022_22965 #CVE_2022_1388 #CVE_2021_44228 #CVE_2021_26855
https://www.greynoise.io/blog/greynoise-detects-active-exploitation-cves-black-bastas-leaked-chat-logs
GreyNoise Detects Active Exploitation of CVEs Mentioned in Black Basta’s Leaked Chat Logs

Ransomware group Black Basta’s chat logs were leaked, revealing 62 mentioned CVEs. GreyNoise identified 23 of these CVEs as actively exploited, with some targeted in the last 24 hours.

Show thread decioFeb 17, 2025

Les informations de scan pour la vulnérabilité CVE-2023-20198 ces derniers mois sur les différents moteurs de recherche sont éloquentes.

🛑 D’aprùs Onyphe, on compte toujours 50 000 appareils compromis depuis plus de 12 mois
âŹ‡ïž
"Yes, still 50k compromised devices. Since more than 12 months."
👇
https://bsky.app/profile/onyphe.io/post/3li56uz3qmc2c

#Cyberveille #CVE_2023_20198 #SaltTyphoon

ONYPHE (@onyphe.io)

Yes, still 50k compromised devices. Since more than 12 months. [contains quote post or other embedded content]

Bluesky Social
Show threadGonçalo RibeiroOct 25, 2023

Regarding the #Cisco #IOS XE web UI RCE vuln, I wanted to test a few things in a lab environment to help with forensics, detection, etc. But the software is #proprietary and it seems Cisco tries quite hard to make it inaccessible to anyone not paying them. So it's a challenge for #defenders to get some basic answers from a device they control and know is not compromised.

#vulnerability #CVE_2023_20198 #CVE202320198

Show threadÉric FreyssinetOct 23, 2023
@cert_eu ⏫ un podcast en đŸ‡«đŸ‡· de #nolimitsecu ce matin au sujet de #CVE_2023_20198
https://www.nolimitsecu.fr/cve-2023-20198/
CVE-2023-20198 - NoLimitSecu

Episode #430 consacrĂ© Ă  la vulnĂ©rabilitĂ© CVE-2023-20198 qui impacte un grand nombre de routeurs Avec Patrice Auffret   RĂ©fĂ©rences :  https://twitter.com/onyphe/status/1715633541264900217 https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/ https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z https://www.cisa.gov/known-exploited-vulnerabilities-catalog  

NoLimitSecu
Mic PinOct 23, 2023

TL;DR Secondo alcune ricerche, sarebbero decine di migliaia i dispositivi potenzialmente vulnerabili alla #cve_2023_20198 che colpisce le #Cisco IOS XE Web UI con una vulnerabilitĂ  critica con score #CVSS 10.0

https://www.zerozone.it/cybersecurity/decine-di-migliaia-di-dispositivi-vulnerabili-alla-cve-2023-20198-di-cisco-ios-xe-web-ui/23326

Decine di migliaia di dispositivi vulnerabili alla CVE-2023-20198 di Cisco IOS XE Web UI – zerozone.it

TL;DR Secondo alcune ricerche, sarebbero decine di migliaia i dispositivi potenzialmente vulnerabili alla CVE-2023-20198 che colpisce le Cisco IOS XE Web UI con una vulnerabilitĂ  critica con score CVSS 10.0

remy🐀Oct 19, 2023

I made a flow chart RE: CVE-2023-20198 that's been added to our blog!
Hopefully this helps understand where we currently stand

https://www.greynoise.io/blog/unpacking-cve-2023-20198-a-critical-weakness-in-cisco-ios-xe

#cve_2023_20198

Unpacking CVE-2023-20198: A Critical Weakness In Cisco IOS XE:

Explore an in-depth analysis of the critical software Web UI Privilege Escalation Vulnerability, CVE-2023-20198, in Cisco IOS XE. Learn about its exploitation in the wild, the threat it poses, and the current lack of a patch. Understand how it's leveraged for initial access and the subsequent delivery of an implant through an undetermined mechanism. Also discover how GreyNoise can help provide timely intelligence surrounding activity related to these Cisco IOS XE systems.‍

Stacey HolleranOct 17, 2023
#CVE_2023_20198 is a critical *unpatched* #zeroday vulnerability in the web UI component of Cisco IOS XE software, which runs on a wide range of Cisco routers, switches, controllers, and other devices. This vulnerability is being actively exploited in the wild
 https://www.rapid7.com/blog/post/2023/10/17/etr-cve-2023-20198-active-exploitation-of-cisco-ios-xe-zero-day-vulnerability/
Active Exploitation of Cisco IOS XE Zero-Day Vulnerability | Rapid7 Blog

On October 16, Cisco’s Talos group released a blog on an active threat campaign exploiting CVE-2023-20198, a zero-day vuln in Cisco IOS XE software.

Rapid7
deltatux Oct 17, 2023
New Cisco IOS XE zero day vulnerability has been disclosed as CVE-2023-20198.

This vulnerability is being actively exploited with thousands of Cisco IOS XE devices being breached.

This vulnerability has a CVSS score of 10/10 and affects any Cisco IOS XE devices with HTTP/HTTPS service enabled & is Internet facing. Successful exploitation by the attacker could allow them to create admin-level accounts & take over the network.

https://arstechnica.com/security/2023/10/actively-exploited-cisco-0-day-with-maximum-10-severity-gives-full-network-control/

#infosec #cybersecurity #Cisco #IOSXE #CVE_2023_20198 #zeroday
“Cisco buried the lede.” >10,000 network devices backdoored through unpatched 0-day

An unknown threat actor is exploiting the vulnerability to create admin accounts.

Ars Technica