PolarEdge Botnet Exploits Cisco, ASUS, QNAP and Synology Devices – What You Need to Know

TLDR

PolarEdge is a TLS‑based ELF botnet that targets Cisco routers, ASUS and QNAP NAS, and Synology devices. It exploits CVE‑2023‑20118 and turns compromised hardware into SOCKS5 proxies.

Check firmware versions, apply Cisco patches, and block outbound proxy traffic to stop the infection.

What happened

Security researchers observed a new botnet in early 2025. They named it PolarEdge. The malware is delivered as a TLS‑wrapped ELF binary. It runs on Linux‑based firmware. The implant monitors client connections. It also accepts commands from a remote C2 server.

PolarEdge uses a known Cisco router flaw, CVE‑2023‑20118. The vulnerability allows unauthenticated command injection. Attackers chain the exploit to drop the ELF payload. The payload installs a backdoor that talks to the attacker over TLS. The backdoor does not survive a reboot. It is a “file‑less” stage that lives only in RAM.

The botnet works in two modes. In connect‑back mode the implant opens a TLS session to the C2 server. It sends a host fingerprint and waits for instructions. In debug mode the implant logs internal state to a temporary file. The logs help the operators refine the code.

Once a device is infected, PolarEdge can do three things. First, it gathers network topology data. Second, it can execute arbitrary shell commands. Third, it can launch GhostSocks. GhostSocks converts the compromised host into a SOCKS5 proxy. The proxy can be used to hide malicious traffic or to pivot into internal networks.

The malware includes several anti‑analysis techniques. It checks for the presence of common sandbox files. It detects debugger processes. It encrypts strings with a custom XOR routine. It also randomises the TLS handshake to avoid fingerprinting. These tricks make static and dynamic analysis harder.

PolarEdge does not attempt persistence. It relies on the fact that many routers and NAS devices are rarely rebooted. The attackers prefer a low‑profile, short‑lived foothold. They can re‑infect the same device later using the same exploit chain.

Why it matters

The affected hardware sits at the edge of corporate networks. It often has privileged access to internal resources. A compromised router can sniff traffic, modify DNS responses, and redirect users to malicious sites. A compromised NAS can expose file shares, credentials, and backup archives.

By turning devices into SOCKS5 proxies, the botnet creates a stealthy tunnel. Attackers can route C2 traffic through legitimate ports. This bypasses many perimeter defenses. The proxy also enables lateral movement. An adversary can reach internal servers without exposing their IP address.

The use of TLS for the implant adds another layer of difficulty. Traditional network sensors see only encrypted traffic. Without deep packet inspection, the malicious flow blends with normal VPN or HTTPS traffic.

The botnet’s anti‑analysis features reduce detection rates. Signature‑based AV solutions miss the payload. Heuristic tools struggle with the randomised TLS handshake. This increases the window of exposure.

Finally, the vulnerability exploited is already public. Many organizations have not applied the Cisco patch. The same exploit works on multiple vendors because the code re‑uses open‑source components. The attack surface is therefore broad and easy to weaponise.

Who is affected

• Cisco ISR and ASR routers running firmware older than 17.9.5. These devices are common in branch offices and data‑center edge locations.
• ASUS RT‑AX series Wi‑Fi routers with firmware prior to 3.0.0.15. Home users and small businesses often ignore updates for these devices.
• QNAP TS‑ series NAS running QTS 5.0.x or earlier. The Linux kernel in these versions is vulnerable to the ELF loader used by PolarEdge.
• Synology DiskStation Manager (DSM) 7.0‑7.2 without the March 2025 security patch. The same ELF payload can be executed on these platforms.
• Any device that re‑uses the vulnerable OpenSSL library version 1.1.1k or earlier. The TLS wrapper depends on this library.

How to check exposure

1. Identify firmware versions. Log into each router, NAS, or storage device. Run the appropriate CLI command (e.g., show version on Cisco, cat /etc/os-release on QNAP) and compare against the vendor’s patched releases.
2. Scan for open C2 ports. PolarEdge uses TCP port 8443 for TLS back‑channel communication. Use a network scanner to detect outbound connections to unknown IPs on this port.
3. Search for the ELF implant signature. The binary contains the string "PolarEdge" encrypted with XOR 0x5A. Run a memory‑dump tool on the device and grep for the decoded string.
4. Check for GhostSocks processes. The proxy runs as gsocksd and listens on localhost port 1080. Execute netstat -tulpn | grep 1080 on the device.
5. Review system logs. Look for repeated TLS handshake failures from the same internal IP to external addresses. Also watch for log entries mentioning “debug mode activated”.
6. Use vulnerability scanners. Tools such as Nessus, OpenVAS, or Qualys have a plugin for CVE‑2023‑20118. Run a full scan on the network segment that contains the suspected devices.

Fast mitigation

• Apply the Cisco patch immediately. Upgrade to IOS‑XE 17.9.5 or later. Verify the version with show version after reboot.
• Update ASUS router firmware. Download the latest firmware from the official ASUS support site. Flash the image via the web UI or TFTP.
• Upgrade QNAP QTS to 5.1.3 or newer. Enable the automatic update feature to receive future patches.
• Patch Synology DSM to the latest 7.2.x release. Ensure the “Auto Update” option is turned on.
• Block outbound TLS to unknown IPs on port 8443. Add a firewall rule that permits only known C2 destinations. Log any denied attempts.
• Disable unused services. Turn off remote management interfaces that are not required. Close ports 22, 23, and 8080 if they are not in use.
• Restart affected devices. Because PolarEdge does not persist across reboots, a clean restart removes the in‑memory implant.
• Monitor for proxy activity. Deploy a network IDS that alerts on SOCKS5 handshake patterns. Correlate alerts with device inventory.
• Enforce strong authentication. Replace default admin passwords with complex, unique credentials. Enable two‑factor authentication where supported.
• Segment the network. Place routers and NAS devices in a dedicated VLAN. Restrict inter‑VLAN traffic to only required protocols.

Following these steps reduces the attack surface dramatically. The botnet relies on a single unpatched flaw and on the ability to run in memory. By patching, restarting, and tightening network controls, you remove its foothold and prevent future infections.