- Sekoia researchers warn against the new Botnet Vicioustrap
- So far, he has compromised more than 5,000 Cisco dated routers
- The devices are vulnerable to an old inappropriate validation bug
A vulnerability of high severity distressing former Cisco routers is used to build a malicious global botnet, experts warned.
Sekoia cybersecurity researchers have published an in -depth report on the threat actor – Dubbed Viciustrap – which uses a vulnerability followed as CVE -2023-20118, to target Cisco Small Business RV016, RV042G, RV042G, RV082, RV320 and RV325.
This defect, found in the web -based management interface, allows an authenticated distant striker to execute arbitrary orders on an affected device, made possible due to poor validation of the user entry in incoming HTTP packets.
Little brother of Polaredge
Unfortunately, Cisco will not repair the bug because the assigned devices have exceeded their end of life date, WNE security reported.
The vulnerability has enabled Viciustrap to execute a shell script called Netghost, “which redirects traffic entering specific compromise router to Honey Pot infrastructure under the control of the attacker allowing them to intercept network flows,” said Sekoia.
Until now, nearly 5,300 aircraft, found in 84 countries around the world, have been assimilated in the botnet. The majority of victims are located in – Macao (850).
This is not the first time that Sekoia has sounded the alarm on CVE-2023-20118. At the end of February 2025, Techradar Pro Sekoia reported warning a botnet named Polardge, using the same vulnerability to target a range of Cisco, Asus, Qnap and Synology devices. At the time, around 2,000 aircraft were affected.
For the work of Viciustrap, all the attempts of exploitation came from a single IP address, the researchers also discovered, declaring that the attacks began in March 2025. It was also said that the actors of the threat reused a undocumented web shell used previously in the potential attacks.
Although these things are always difficult to confirm, Sekoia thinks that the attackers are of Chinese origin.
Via The Hacker News
