May 29, 2025 10:46:00

Thousands of ASUS routers hit by stealthy, persistent backdoor attack

Thousands of Asus home and small office routers have been subject to attacks by nation-state or well-funded threat actors to create a stealthy backdoor that allows them to bypass reboots and firmware updates.

GreyNoise Discovers Stealthy Backdoor Campaign Affecting Thousands of ASUS Routers

https://www.greynoise.io/blog/stealthy-backdoor-campaign-affecting-asus-routers

Thousands of Asus routers are being hit with stealthy, persistent backdoors - Ars Technica
https://arstechnica.com/security/2025/05/thousands-of-asus-routers-are-being-hit-with-stealthy-persistent-backdoors/

At the time of writing, the identity of the threat actor behind the backdoor in ASUS routers is unknown. The unknown attacker is exploiting patched vulnerabilities to gain access to the routers. Some patched vulnerabilities are not tracked by the internationally recognized Common Vulnerabilities and Exposures (CVE), so the threat actor is using this to try to break into the routers.

One of the vulnerabilities exploited by threat actors was CVE-2023-39780 , a command injection vulnerability that allows the execution of system commands. ASUS fixed the vulnerability in a firmware update, but for unknown reasons, the vulnerability did not receive a CVE tracking designation.

After exploiting the vulnerability and gaining administrative privileges on the device, threat actors install a public encryption key for accessing the router via SSH , allowing anyone with the private key to automatically log in to the router with administrative privileges.

The existence of this backdoor was discovered and reported by researchers at security firm GreyNoise. 'Attackers' access persists even after reboots and firmware updates, allowing them to maintain persistent control of affected routers,' the researchers wrote. 'Attackers can use chained authentication bypasses, exploitation of known vulnerabilities, and misuse of legitimate configuration features to plant malware or maintain unauthorized access to routers for long periods of time without leaving any obvious traces.'

GreyNoise says it is tracking approximately 9,000 routers worldwide that have been equipped with this backdoor. This number is said to be growing over time. However, GreyNoise's research team says they have found no indication that the infected routers have been used for any activities. Rather, it has been pointed out that the large number of compromised routers found this time may have been prepared by threat actors for future hacking attacks.

GreyNoise's research team noted that the compromised ASUS routers may be part of a larger attack campaign

reported by security firm Sekoia in the fourth week of May 2025. Sekoia's research team reported that internet scans by network intelligence company Censys showed that up to 9,500 ASUS routers may have been compromised by ViciousTrap, a name used to track unknown threat actors.

You can check if your ASUS router is OK by checking the SSH settings in the settings panel. If the router has a backdoor, it will show that you can log in via SSH via port 53282 using a digital certificate with a shortened key. Alternatively, your router may be infected if the system log shows signs of access from the IP addresses '101.99.91.151', '101.99.94.173', '79.141.163.179', or '111.90.146.237'.

To remove the backdoor, the key and port settings must be deleted.