- Sekoia researchers warn about the new vicouustp botnet
- Until now, he committed more than 5,000 Cisco routers dated
- The devices are vulnerable to an old inappropriate validation error
High severity vulnerability is being used that affects the old Cisco routers to build a malicious and global botnet, experts have warned.
Cybersecurity researchers Sekoia published an in-depth report on the threat actor, called Vicious, who uses a tracked vulnerability such as CVE-2023-20118, to aim at the RV016 of small companies Cisco, RV042, RV042G, RV082, RV320 and RV325.
This fault, which is located in the web -based administration interface, allows an authenticated remote attacker to execute arbitrary commands on an affected device, made possible due to the incorrect validation of the user’s entrance into the entrance packets.
Poledge’s little brother
Unfortunately, Cisco will not repair the error since the affected devices have passed their end of life date, Wne security reported.
The vulnerability allowed Vicouustrap to execute a Shell script called Netghost, “that redirects the incoming traffic of specific ports of the router committed to an infrastructure similar to the Honeypot under the control of the attacker, which allows them to intercept network flows,” said Sekoia.
Until now, almost 5,300 devices, found in 84 countries of the world, were assimilated in the Botnet. Most victims are in – Macao (850).
This is not the first time that Sekoia sounds the alarm in CVE-2023-20118. At the end of February 2025, Techradar Pro It was reported that Sekoia warned about a botnet called Polaredge, using the same vulnerability to aim at a range of Cisco, Asus, Qnap and Synology devices. At that time, it was said that approximately 2,000 devices were affected.
For the work of Vicouustrap, all exploitation attempts come from a single IP address, the researchers also discovered, stating that the attacks began in March 2025. It was also said that threat actors reused an undocumented web shell previously used in Poledge attacks.
Although these things are always difficult to confirm, Sekoia believes that attackers are of Chinese origin.
Through The hacker news
