PolarEdge Botnet: Over 2,000 IoT Devices Infected Globally

February 26, 2025

The PolarEdge botnet, a complex malware campaign focusing on IoT devices, has been unearthed by the Threat Detection & Research (TDR) team at Sekoia. This botnet has successfully infiltrated more than 2,000 devices around the globe and has been in operation since at least the end of 2023. The botnet leverages a remote code execution (RCE) vulnerability, CVE-2023-20118, which affects various Cisco Small Business Router models.

On January 22, 2025, the TDR team detected unusual network activities through their honeypots. The analysis revealed an attempt to exploit the CVE-2023-20118 vulnerability. The threat actor used this exploit to execute a remote command (RCE) and install a webshell on the targeted router. The vulnerability originates from improper input validation in /cgi-bin/config_mirror.exp, which allows unauthorized attackers to remotely execute commands by creating malicious HTTP requests.

Between January 22 and 31, 2025, the threat actors deployed a base64-encoded, gzip-compressed webshell to vulnerable routers. To maintain persistence and evade detection, the attacker replaced the router’s authentication CGI script (/usr/local/EasyAccess/www/cgi-bin/userLogin.cgi) with their webshell. By February 10, 2025, the operators of PolarEdge had altered their tactics, swapping the webshells for a TLS backdoor implant, indicating a shift towards large-scale botnet infrastructure.

The analysis of these payloads led to the discovery of a botnet consisting of over 2,000 infected assets worldwide, as well as the attacker’s infrastructure. PolarEdge employs a variety of evasion and persistence strategies. The TDR team discovered compromised devices in numerous regions, with the highest number of infections in the U.S. (540 IPs), followed by Taiwan and South America. The botnet's ability to target different architectures, including Cisco, Asus, QNAP, and Synology, suggests an ongoing expansion of its operations.

The report concludes that the PolarEdge botnet has been active since at least the end of 2023, targeting a wide array of devices and associated with a significant infrastructure.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.