Researchers have identified a new threat actor, “ViciousTrap”, actively exploiting a well-known vulnerability (CVE-2023-20118) to compromise over 5,300 Cisco Edge devices. The attackers are exploiting this flaw to establish a global honeypot network, posing a significant risk to the affected infrastructure. Review the details in this Cybersecurity Threat Advisory to limit your risk.
What is the threat?
ViciousTrap is exploiting CVE-2023-20118, which affects several Cisco Small Business routers. This attack enables threat actors to intercept network traffic by deploying a series of bash scripts that target specific ports. These scripts set the stage for further exploitation and manipulation of data flow.
Why is it noteworthy?
This threat is especially dangerous because the attacker can silently intercept and redirect network traffic to a global honeypot network, allowing surveillance without triggering obvious alarms. What makes it more alarming is that the affected routers have reached End-of-Life (EoL), meaning no patches are available — a perfect storm for exploitation. The combination of stealth and lack of vendor support makes this a high-risk vulnerability that organizations cannot afford to ignore.
What is the exposure or risk?
The exposure is significant due to the widespread use of these Cisco Small Business routers, including models such as the RV016, RV042, RV082, and RV325, which are commonly deployed in small offices and home office environments. These devices are often overlooked in enterprise security strategies, creating an expansive and underprotected attack surface. Organizations still relying on this outdated hardware could face traffic interception, data loss, or deeper network compromise.
What are the recommendations?
Barracuda recommends the following to mitigate the risk:
- Replace affected routers with newer, supported models to ensure ongoing security updates and support.
- Disable the remote web-based management interface on vulnerable routers if not needed.
- Enforce strong, unique administrative passwords and remove any default or unused accounts on the devices.
- Monitor logs and network activity for signs of exploitation, such as unexpected outbound connections or changes to configurations.
- Segment your network infrastructure to reduce the impact if a router is compromised.
- Establish a response procedure for router-based exploitation attempts, including isolating affected devices, collecting traffic logs, and verifying the integrity of firmware and configuration.
- Develop an incident response plan that includes these procedures, and ensure that staff are trained on their roles in the event of an incident related to the exploitation of this vulnerability.
References
For more in-depth information about the recommendations, please visit the following links:
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
