Cybersecurity researchers have identified an ongoing exploitation campaign targeting a remote command execution (RCE) vulnerability, CVE-2023-20118, in Cisco Small Business Routers.
This vulnerability affects multiple models, including RV016, RV042, RV042G, RV082, RV320, and RV325.
The flaw resides in the web-based management interface of these devices and stems from improper input validation, which allows unauthenticated attackers to execute arbitrary commands by sending maliciously crafted HTTP requests.
The vulnerability specifically exploits the delete_cert function within the /cgi-bin/config_mirror.exp binary.
Attackers can inject commands using special characters such as $(COMMAND) or ;, enabling them to bypass input validation and execute arbitrary code directly on the system.
Sophisticated Attacks Observed via Honeypots
Between January 22 and February 10, 2025, cybersecurity monitoring systems detected multiple attempts to exploit this vulnerability.
In one case, attackers deployed a webshell to gain persistent access to compromised devices.
The webshell replaced critical authentication scripts on the router and included mechanisms for executing commands upon successful authentication.
However, evidence suggests that this webshell was primarily used as a delivery mechanism for second-stage payloads before being deleted by the attackers.
Another observed attack involved a coordinated botnet operation that exploited the same vulnerability.
Using a shell script named “q,” attackers downloaded and installed a TLS backdoor on targeted routers.
According to Sekoia, this backdoor, known as “PolarEdge,” establishes encrypted communication channels with command-and-control (C2) servers and enables attackers to execute predefined commands remotely.
PolarEdge Botnet: A Global Threat
Analysis of PolarEdge revealed a botnet comprising over 2,000 infected devices worldwide.
The malware leverages the Mbed TLS library (formerly PolarSSL) for secure communication and targets not only Cisco routers but also Asus, QNAP, and Synology devices.
The botnet appears to have been operational since late 2023 and is particularly active in regions like Asia and South America.
The PolarEdge payload employs advanced techniques for persistence and stealth.
It modifies system files to ensure execution upon device startup and deletes logs to cover its tracks.
Additionally, it adjusts firewall rules to allow incoming connections to the backdoor’s listening port.
The purpose of the PolarEdge botnet remains unclear, but researchers hypothesize that it may be used to transform compromised devices into Operational Relay Boxes (ORBs) for launching distributed cyberattacks.
The sophistication of the payloads suggests involvement by skilled threat actors.
Cisco has not yet issued a patch for CVE-2023-20118. Organizations using affected routers are urged to disable remote management interfaces and implement network segmentation as interim measures.
Enhanced monitoring of edge devices is also recommended to detect signs of compromise early.
This ongoing campaign highlights the critical need for robust security measures on internet-facing devices as they remain prime targets for malicious actors seeking entry points into larger networks.
%20vulnerability.){kind=link}