Analysis

Sekoia cybersecurity researchers have reported the emergence of a new botnet, "ViciousTrap," actively exploiting a high-severity vulnerability (CVE-2023-20118) in specific end-of-life Cisco Small Business routers. This vulnerability, located in the web-based management interface, permits authenticated remote attackers to execute arbitrary commands due to improper user input validation. Over 5,300 devices across 84 countries, with a significant concentration in Macau (850 devices), have been compromised and assimilated into this botnet, which redirects network traffic using a shell script named NetGhost. Cisco has stated it will not issue a patch for these affected routers—models RV016, RV042, RV042G, RV082, RV320, and RV325—as they have surpassed their end-of-life support date. This incident follows a February 2025 alert concerning the "PolarEdge" botnet, which exploited the same vulnerability impacting approximately 2,000 devices. The ViciousTrap attacks, originating from a single IP address since March 2025, are attributed by Sekoia to potentially Chinese threat actors who repurposed a web shell from the PolarEdge campaign. The associated per-ticker sentiment for Cisco (CSCO) is moderately negative at -0.55, though the broader market impact score remains low at 0.25, suggesting the direct financial repercussions for Cisco from these EOL products are perceived as limited.