A new botnet, named PolarEdge, has been discovered infecting over 2,000 devices across the globe over the past two years. First observed by French security firm Sekoia, the botnet has been active since at least the end of 2023, targeting edge devices such as routers and NAS devices.
The botnet’s attack strategy involves the exploitation of the CVE-2023-20118 vulnerability, which affects several Cisco Small Business Routers (RV016, RV042, RV042G, RV082, RV320, RV325). The vulnerability, stemming from improper input validation in the web management interface, allows unauthenticated attackers to execute remote commands (RCE) by sending specially crafted HTTP requests. The first known exploitation attempt occurred on January 22, 2025, when attackers executed a remote command to deploy a webshell. The attackers then used this webshell to gain persistence and deliver secondary payloads.
In February, attackers changed tactics simultaneously sending exploit commands from multiple IP addresses across different countries. These commands were used to retrieve a script via FTP. The script was designed to install and execute a TLS backdoor that allowed attackers to control infected systems.
Subsequent analysis revealed multiple previously undetected payloads from the same botnet family, particularly targeting ASUS, QNAP, and Synology devices.
The botnet had infected devices across the globe, with the United States being the most affected, followed by countries in Asia and South America. Taiwan, the home country of ASUS, QNAP, and Synology, also had a significant number of affected IPs. However, it is unclear whether the botnet is specifically targeting these regions or if the prevalence is due to a higher number of vulnerable devices.
The investigation suggests that the PolarEdge botnet is leveraging compromised devices as "Operational Relay Boxes" for potential offensive cyberattacks. However, this is still a working hypothesis, and no concrete evidence has been found to confirm this. The botnet appears to be focused on targeting edge devices, making it harder to detect due to the diversity of infected assets.