Recommended reading

Cisco security flaw exploited to build botnet of thousands of devices

News
By published

It's the second botnet built using the same flaw

botnet
(Image credit: Shutterstock / Jaiz Anuar)
  • Sekoia researchers warn of new ViciousTrap botnet
  • So far, it compromised more than 5,000 dated Cisco routers
  • The devices are vulnerable to an old improper validation bug

A high-severity vulnerability plaguing old Cisco routers is being used to build a malicious, global botnet, experts have warned.

Cybersecurity researchers Sekoia published an in-depth report on the threat actor - dubbed ViciousTrap - which is using a vulnerability tracked as CVE-2023-20118, to target Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers.

This flaw, found in the web-based management interface, allows an authenticated, remote attacker to execute arbitrary commands on an affected device, made possible due to improper validation of user input within incoming HTTP packets.

PolarEdge's little brother

Unfortunately, Cisco won’t be patching the bug since the affected devices are past their end-of-life date, WNE Security reported.

The vulnerability allowed ViciousTrap to execute a shell script named NetGhost, “which redirects incoming traffic from specific ports of the compromised router to a honeypot-like infrastructure under the attacker's control allowing them to intercept network flows,” Sekoia explained.

So far, almost 5,300 devices, found in 84 countries around the world, were assimilated into the botnet. The majority of the victims are located in - Macau (850).

This is not the first time Sekoia is ringing the alarm on CVE-2023-20118. In late February 2025, TechRadar Pro reported Sekoia was warning about a botnet named PolarEdge, using the same vulnerability to target a range of devices from Cisco, ASUS, QNAP, and Synology. At the time, roughly 2,000 devices were said to have been affected.

For ViciousTrap’s work, all exploitation attempts came from a single IP address, the researchers further discovered, stating that the attacks started in March 2025. It was also said the threat actors repurposed an undocumented web shell previously used in PolarEdge attacks.

Although these things are always difficult to confirm, Sekoia believes the attackers are Chinese in origin.

Via The Hacker News

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.