PolarEdge Botnet Exploits CVE-2023-20118 for Unauthenticated Command Execution

Cyber Security News by CyberSum.net

Published on October 14, 2025 at 06:00 PM

3 sources

In early 2025, researchers discovered the PolarEdge botnet, which exploits CVE-2023-20118 to execute unauthenticated commands on compromised devices. The botnet uses a custom TLS server and a proprietary binary protocol to control infected routers and NAS devices. It employs sophisticated anti-analysis techniques and supports multiple modes of operation, including server, connect-back, and debug modes. Defenders are advised to monitor for unusual TLS services and integrity checks on core utilities to detect such implants.

Also Read

GlassWorm Malware Targets Developers via OpenVSX and VS Code

A new supply-chain attack is targeting developers on the OpenVSX and Microsoft Visual Studio marketplaces with self-spreading malware called GlassWorm. The malware, installed an estimated 35,800 times, hides its malicious code using invisible characters and spreads using stolen account information. It uses the Solana blockchain for command-and-control, making takedown difficult, with Google Calendar as a backup option. The malware steals credentials for GitHub, npm, and OpenVSX accounts, as well as cryptocurrency wallet data from 49 extensions. It also deploys a SOCKS proxy and installs VNC clients for invisible remote access. The final payload, called ZOMBI, turns infected systems into nodes for cybercriminal activities.

By Cyber Security News by CyberSum.netOctober 20, 2025 at 09:00 PM