Overview
- Since July 2025, ASD estimates more than 400 Australian devices were compromised, with over 150 still infected in late October.
- Attackers exploit the CVSS 10 flaw to create privileged accounts via the web interface and deploy the Lua-based BadCandy web shell.
- The implant is wiped by reboot, yet operators detect removals and re-introduce it on unpatched, internet-exposed routers.
- ASD is notifying affected entities, asking ISPs to contact unidentified owners, and urging patching, hardening, and incident response per Cisco guidance.
- ASD cites previous use by China-linked groups such as Salt Typhoon and assesses recent activity as consistent with state-sponsored actors.