Cisco security flaw exploited to build botnet of thousands of devices
More than 5,000 devices have already been compromised.
- Sekoia researchers warn of new ViciousTrap botnet
- So far, it compromised more than 5,000 dated Cisco routers
- The devices are vulnerable to an old improper validation bug
A high-severity vulnerability plaguing old Cisco routers is being used to build a malicious, global botnet, experts have warned.
Cybersecurity researchers Sekoia published an in-depth report on the threat actor - dubbed ViciousTrap - which is using a vulnerability tracked as CVE-2023-20118, to target Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers.
This flaw, found in the web-based management interface, allows an authenticated, remote attacker to execute arbitrary commands on an affected device, made possible due to improper validation of user input within incoming HTTP packets.
PolarEdge's little brother
Unfortunately, Cisco won’t be patching the bug since the affected devices are past their end-of-life date, WNE Security reported.
The vulnerability allowed ViciousTrap to execute a shell script named NetGhost, “which redirects incoming traffic from specific ports of the compromised router to a honeypot-like infrastructure under the attacker's control allowing them to intercept network flows,” Sekoia explained.
So far, almost 5,300 devices, found in 84 countries around the world, were assimilated into the botnet. The majority of the victims are located in - Macau (850).
This is not the first time Sekoia is ringing the alarm on CVE-2023-20118. In late February 2025, TechRadar Pro reported Sekoia was warning about a botnet named PolarEdge, using the same vulnerability to target a range of devices from Cisco, ASUS, QNAP, and Synology. At the time, roughly 2,000 devices were said to have been affected.
For ViciousTrap’s work, all exploitation attempts came from a single IP address, the researchers further discovered, stating that the attacks started in March 2025. It was also said the threat actors repurposed an undocumented web shell previously used in PolarEdge attacks.
Although these things are always difficult to confirm, Sekoia believes the attackers are Chinese in origin.
Via The Hacker News
You might also like
- IoT’s botnet problem is up 500% – three things admins must do now
- Take a look at our guide to the best authenticator app
- We've rounded up the best password managers
