Researchers detect hackers exploiting flaw in Cisco Small Business Routers to create botnet
Take action: This attack shows how small businesses are most vulnerable. They don't have time or resources to maintain all their routers, so they go unpatched. Then a hacker gang just uses this to infiltrate. If you are running Cisco RV016, RV042, RV042G, RV082, RV320, or RV325 this is an immediate action point - patch your routers ASAP. If you have the resources, check for indicators of compromise. Ideally, replace these devices.
Learn More
Sekoia's Threat Detection & Research (TDR) team has discovered a sophisticated botnet operation named "PolarEdge" that targets various edge devices including Cisco, Asus, QNAP, and Synology products. The botnet has infected over 2,000 devices worldwide and appears to have been active since at least November 2023.
The investigation began in January 2025 when Sekoia detected suspicious network traces in their honeypots targeting Cisco Small Business Routers. The attackers were exploiting CVE-2023-20118 - a vulnerability in the web-based management interface of Cisco Small Business Routers RV016, RV042, RV042G, RV082, RV320, and RV325. This vulnerability allows unauthenticated attackers to execute remote commands by sending specially crafted HTTP requests.
Two distinct attack patterns were observed:
Webshell Deployment (January 22-31, 2025):
- Attackers from IP 45.77.152.227 deployed a webshell by exploiting the vulnerability
- The webshell replaced the router's authentication CGI script to maintain persistence
- An authentication mechanism was implemented requiring a specific key via the PASSHASH parameter
TLS Backdoor Deployment (February 10, 2025):
- Multiple coordinated attacks from different IP addresses
- Exploited the same vulnerability to retrieve and execute a script named "q"
- The script downloaded and installed a TLS backdoor named "cipher_log"
The PolarEdge malware is a sophisticated TLS backdoor that establishes persistence through multiple mechanisms, configures firewall rules to allow communication on designated ports, creates a TLS-secured server that listens for incoming connections, uses certificates with "PolarSSL" in subject or issuer fields and reports successful infections to attacker infrastructure with device details.
The malware was found targeting multiple device types:
- Cisco routers (RV042, RV340, RV345 etc)
- Asus routers (RT-AX55, RT-AX88U, RT-AC58U)
- QNAP NAS devices
- Synology NAS devices
The oldest domain associated with the botnet, siotherlentsearsitech.shop, was registered on November 27, 2023, indicating the botnet has been operational since at least that time.
Using Censys search engine, researchers identified 2,017 unique IP addresses associated with the distinctive PolarSSL certificate used by the botnet. The United States is the most affected country with 540 devices, followed by South Korea, Vietnam, India, Indonesia, Taiwan, and Brazil. The botnet appears particularly prevalent in Asia and South America.
The ultimate purpose of the PolarEdge botnet remains unclear. One working hypothesis is that it could be using compromised devices as Operational Relay Boxes (ORBs) for launching offensive cyber attacks, providing anonymity for the attackers.
Organizations should update Cisco Small Business Routers to patch against CVE-2023-20118, check for suspicious TLS services running on non-standard ports and monitor for network connections to the IOCs provided in the report.
