- SEKOIA scientists warn of new vicious botnet
- So far, it compromised more than 5,000 dated Cisco -Routers
- The units are vulnerable to an old wrong validation error
A vulnerability of high difficulty that plagues old Cisco routers is used to build a malicious, global botnet, experts have warned.
CyberSecurity scientists Sekoia published an in-depth report on the threat actor call Vicioustrap-AS uses a vulnerability traced as CV-2023-20118, to target Cisco Small Business RV016, RV042, RV042G, RV082, RV320 and RV325-Route.
This error found in the web-based management interface allows an approved, remote attack to perform arbitrary commands on an affected device, made possible due to incorrect validation of user input within incoming HTTP packages.
Polaredge’s little brother
Unfortunately, Cisco will not patch the error as the affected units are past their end of life, WNE Security reported.
The vulnerability enabled Vicioustrap to perform a shell script called Enghost, “which redirects incoming traffic from specific gates in the compromised router for a honeypot-like infrastructure under the attacker’s control that allows them to intercept network streams,” Sekoia explained.
So far, nearly 5,300 units found in 84 countries around the world were assimilated in Botnet. The majority of the victims are located in – Macau (850).
This is not the first time Sekoia is calling the alarm on CVE-2023-20118. At the end of February 2025, Techradar Pro Reported Sekoia warned of a botnet named Polaredge using the same vulnerability to target a number of units from Cisco, Asus, QNAP and Synology. At that time it was said that approx. 2,000 units had been affected.
For Vicioustrap’s work, all exploitation attempts came from a single IP address, and the researchers discovered further as they said the attacks started in March 2025. It was also said that the threat actors reused an undocumented web shell previously used in polar fraud attacks.
Although these things are always difficult to confirm, Sekoia believes that attackers are Chinese origin.
Via Hacker the news
