CVE-2023-20118 - PatchNow

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2023-04-05

Added to CISA KEV: 2025-03-03 698 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Review logs, check for unauthorized access, verify system integrity
IMMEDIATE: Disable web-based management interface if not required, or restrict access to trusted IP addresses only
Migrate to supported hardware (Cisco recommends upgrading to Meraki or Cisco 1000 Series routers) as no patches will be released
Monitor for suspicious administrative activities and unauthorized configuration changes
Implement network segmentation to isolate management interfaces from internet access
Change default administrative credentials and implement strong authentication

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2023-20118 is a critical security vulnerability affecting the web-based management interface of several Cisco Small Business routers. Because these devices have reached their end-of-life (EOL), Cisco has not released software patches for this flaw?lang=en?kagi_q=CVE-2023-20118+details+exploitation+impact+patches.

Overview and Impact

Affected Products: Cisco Small Business Routers RV016, RV042, RV042G, RV082, RV320, and RV325 ^[5].
Impact: Successful exploitation allows an authenticated, remote attacker to execute arbitrary commands on the affected device with root-level privileges, providing full control over the router and access to unauthorized data?lang=en?kagi_q=CVE-2023-20118+details+exploitation+impact+patches.
Exploitation Requirements: The vulnerability stems from improper validation of user input within incoming HTTP packets ^[4]. While the vulnerability is described as requiring authentication, threat actors have actively weaponized it in the wild to compromise devices ^[3].

Active Exploitation and Threat Actors

CVE-2023-20118 has been subject to significant, active exploitation in the wild:

ViciousTrap: This threat actor has been observed exploiting the flaw to compromise nearly 5,300 network edge devices across 84 countries, turning them into a global "honeypot-like" network ^[2].
PolarEdge Botnet: Researchers have linked the PolarEdge botnet to the exploitation of this vulnerability to deliver a sophisticated, undocumented TLS backdoor capable of listening for incoming client connections and executing arbitrary commands ^[1].

Mitigation Status

Because the affected routers are EOL, there is no official patch available from Cisco?lang=en?kagi_q=CVE-2023-20118+details+exploitation+impact+patches. Cisco has provided the following recommended workarounds to mitigate the risk:

Disable remote management: Turn off the web-based management interface for remote access.
Block access: Restrict access to ports 443 and 60443 at the network perimeter to prevent unauthorized interaction with the management interface ^[1].

Sources

PolarEdge Botnet Exploits Cisco and Other Flaws to Hijack ASUS...
As workarounds, Cisco recommended in early 2023 that the flaw can be mitigated by disabling remote management and blocking access to ports 443 and 60443. In the attack registered against Sekoia's honeypots, the vulnerability is said to have been used to deliver a previously undocumented implant, a T…
ViciousTrap Uses Cisco Flaw to Build Global Honeypot from 5,300...
Cybersecurity researchers have disclosed that a threat actor codenamed ViciousTrap has compromised nearly 5,300 unique network edge devices across 84 countries and turned them into a honeypot-like network. The threat actor has been observed exploiting a critical security flaw impacting Cisco Small B…
Cisco, Hitachi, Microsoft, and Progress Flaws
... some of the aforementioned flaws are weaponized in the wild, but French cybersecurity company Sekoia revealed last week that threat actors are abusing CVE-2023-20118 ... Lastly, the exploitation of CVE-2018-8639 was highlighted in early 2023 by AhnLab, attributing it to a Chinese hacking group n…
NVD - CVE-2023-20118
An official website of the United States government Here's how you know ... CVE-2023-20118 Detail. Description. A vulnerability in the web-based management interface of Cisco Small Business Routers RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to…
CVE-2023-20118 Detail - NVD
A vulnerability in the web-based management interface of Cisco Small Business Routers RV016, RV042, RV042G, RV082, RV320, and RV325 Routers.