Multiple ASUS Routers Impacted by New Security Vulnerability UPDATED
Customers of ASUS’ popular WiFi and broadband routers have been advised to ensure that they’re on the latest firmware (software update) after security researchers at GreyNoise published a new vulnerability, which has already allowed attackers to gain “unauthorized, persistent access” to thousands of devices exposed to the public internet.
The situation, which reminds us of a similar issue with DrayTek‘s routers that occurred earlier this year (here and here), sees attackers exploiting CVE-2023-39780 (severity score of 8.8 out of 10) – a command injection flaw – to execute system commands. But it’s a bit more complex than that, as some of the related exploits have yet to be given a designation.
Initial access to an affected router is gained via brute-force logins (i.e. trying masses of different combinations of logins/passwords) and two previously undisclosed authentication bypass vulnerabilities (neither have been assigned CVEs, yet). Once authentication has been bypassed, that’s when the attackers harness CVE-2023-39780 in order to take over your router.
Advertisement
GreyNoise Statement
The tactics used in this campaign — stealthy initial access, use of built-in system features for persistence, and careful avoidance of detection — are consistent with those seen in advanced, long-term operations, including activity associated with advanced persistent threat (APT) actors and operational relay box (ORB) networks. While GreyNoise has made no attribution, the level of tradecraft suggests a well-resourced and highly capable adversary.
The attacker’s access survives both reboots and firmware updates, giving them durable control over affected devices. The attacker maintains long-term access without dropping malware or leaving obvious traces by chaining authentication bypasses, exploiting a known vulnerability, and abusing legitimate configuration features.
As of 27th May 2025, nearly 9,000 ASUS routers are said to have been confirmed as compromised, based on scans from Censys, and the number of affected hosts is growing. The good news is that ASUS recently released new firmware for their routers to protect against the problem.
However, the bad news is that the attacker’s SSH configuration changes are NOT removed by firmware upgrades. Put another way, if a router was compromised before updating, the backdoor will still be present unless SSH access is explicitly reviewed and removed.
The research team thus recommends that owners of affected devices block the attacker(s) IP addresses (101.99.91.151, 101.99.94.173, 79.141.163.179 and 111.90.146.237) and then perform a full factory reset, then reconfigure manually. Credits to Thinkbroadband for spotting this one.
UPDATE 3rd June 2025 @ 11:21am
Advertisement
We’ve had a statement from ASUS on this issue, which we’ll post in full.
ASUS Statement
In response to recent media reports regarding attempts to exploit vulnerabilities in ASUS routers, ASUS would like to communicate that these vulnerabilities can be fixed. While some have noted that a firmware update alone may not completely address the issue, ASUS would like to emphasize the following recommendations — including updating to the latest firmware, performing a factory reset, and setting strong administrator passwords — to effectively restore and maintain device security.
The steps outlined below are not only essential for mitigating potential risks but also critical for reinforcing long-term protection and responsible device management in today’s evolving cybersecurity environment.
Firmware updates and strong passwords can effectively prevent future risks
These media reports involve security vulnerability (CVE-2023-39780), which was disclosed in 2023. Devices that have been updated with the latest firmware and secured with a strong administrator password can prevent future exploitation of this vulnerability and block similar attack methods.
Users are recommended to use a password at least 10 characters long, and include uppercase and lowercase letters, numbers, and symbols. In addition, ASUS recommends keeping device firmware up to date to ensure ongoing protection.
Devices that may have been affected can be fully restored
If the device was previously using outdated firmware along with a weak password, and users suspect it may have been compromised, please follow the steps below to secure the device:
- Update the firmware to the latest version
- Perform a factory reset to clear any unauthorized or abnormal settings
- Set a strong administrator password as described above
These steps will ensure that the device is fully secured and no residual risk remain.
End-of-Life (EOL) devices can still be safely used
For EOL devices that no longer receive firmware updates, the following best practices are recommended:
- Install the latest available firmware version for the device
- Use a strong administrator password
- Disable all remote access features such as SSH, DDNS, AiCloud, or Web Access from WAN
Completing the above steps will effectively prevent the exploitation methods described in recent reports.
Optional self-checks for suspicious activity
Users may perform the following checks to determine if their device shows signs of unauthorized access:
- Confirm that the SSH (especially TCP port 53282) is not exposed to the internet
- Check the System Log for repeated login failures or unfamiliar SSH keys
- If anything appears suspicious, follow the above recommendations to thoroughly remove any potential threats.
ASUS remains fully committed to ensuring the security of its users. Firmware update notifications and security recommendations have been issued for supported models. For further assistance, please contact the ASUS Customer Service team.
Thank you for your continued trust and support.
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on X (Twitter), Mastodon, Facebook, BlueSky, Threads.net and Linkedin.
« BT CEO Talks Shrinking UK Broadband Market Share and Future of Altnets
Advertisement
Leave a Reply
Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your entries for comment content, display name, IP and email in our database, for as long as the post remains live.
Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.
It’s more like a sh*tstorm causing panic among less technical users. While they’re not making it obvious, it seems to require exposing a login page to the internet/WAN which is something that isn’t done automatically or out of the box, and has to be done deliberately.
If you use Merlins firmware, here is what he had to say:
This article is about the malware itself, not about a new security issue. That malware is getting installed through brute forcing of the login, or through old security issues (one of them going back to 2023 – long fixed).
@anonymous yeah so either infecting from the LAN side (from infected computer/device) or you still need to make login page available from the internet. If web login (80/443/whatever) is not exposed then you can’t perform a brute force on it.
and all of the Asus stock firmware for supported current models (and even some EOL) had their login mechanisms strengthened recently mid 2024 onwards, including the verification and validation controls, which naturally Asus give Merlin the GPL for inclusion in his firmware anyway.
You can lock down the login page to certain IP’s too from WAN, if really have to use it and not do via a VPN. Obviously, you should have a cert, or use the Lets Encrypt engine built in, to get a cert for free to secure everything over https….
Having a certificate will not make any difference. This attack is not about sniffing traffic in local network.
Yep, more than aware of that, but if you are on latest firmware, as I stated, and have to use the web login from internet, it will secure the transport stream using TLS. Nobody should be using unencrypted http for access, but many do!.
Ah, scare tactics, seems to happen a lot these days.
Had a surprise today that my TP-link router has an update, considering it is getting on now and version 2 is now on the market, it is good that TP-link is still updating it.
Asus need to issue an official cleanup tool to remove the compromised configuration.
A bit of downloadable JavaScript to be run in local browser would seem to be sufficient.
Wiping the router removes it
Why advise to block IP’s and then factory reset? Seems like an unnecessary step to block IP’s when that config will be removed after the reset.
Anybody showing “Not secure” message in the modem/router access web page URL ?
Suddenly appeared on mine recently (Following update to Digital Voice) and no amount of factory resets or changes of the modem/router internal gateway address (Within IPV4 private address ranges ) has shifted it. Even using secure mode in Edge or Incognito mode in Chrome changed the situation. Last firmware update was April this year.
The online forums have been reporting this occurring since 2022. Surely any internal discrepancy in the software between https detection and the default web page would have been rectified by now ?-
Any new UK-based American data centres come on stream recently ?
All you need to do to fix the insecure message is to make sure that you have a signing certificate installed and working. The error message is due to your browser seeing a self-signed certificate (if any at all) and rightly deciding it’s not trustworthy!