CVE-2023-20118

Name of the Vulnerable Software and Affected Versions Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers versions prior to 2025-03-24 Cisco Small Business RV Series Routers versions prior to 2025-03-24

Description A vulnerability exists in the web-based management interface of Cisco Small Business Routers, stemming from improper validation of user input within incoming HTTP packets. This flaw allows a remote attacker with administrative credentials to execute arbitrary commands on an affected device. Successful exploitation could grant the attacker root-level privileges and unauthorized data access. The vulnerability, identified as CVE-2023-20118, is actively exploited by threat actors, including the ViciousTrap group, who are leveraging it to build a global honeypot network. Approximately 19,334 devices remain potentially vulnerable, with over 5,300 routers hijacked across 84 countries. The PolarEdge botnet also exploits this vulnerability. The NetGhost script is used to redirect traffic. The vulnerability is present in routers running end-of-life software and Cisco has not released any software updates to address this issue.

Recommendations For Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers versions prior to 2025-03-24, disable the affected feature as described in the Workarounds section. For Cisco Small Business RV Series Routers versions prior to 2025-03-24, disable the affected feature as described in the Workarounds section. At the moment, there is no information about a newer version that contains a fix for this vulnerability.