Thousands of Asus routers have been compromised in a sophisticated cyberattack, transforming them into a powerful botnet capable of planting damaging malware, according to cybersecurity experts.
Stealthy Campaign Targets Asus Routers
Researchers at GreyNoise first detected the campaign in mid-March 2025. The attackers targeted older, poorly secured Asus routers, using brute-force methods and authentication bypass techniques to gain initial access. Once inside, they exploited a known command injection vulnerability, tracked as CVE-2023-39780, which carries a high severity score of 8.8 out of 10.
This vulnerability was first published in the National Vulnerability Database in September 2023. Asus has since released firmware updates to address the flaw, but many devices remain unpatched and vulnerable.
Advanced Tactics and Persistent Access
GreyNoise researchers used their Sift network payload analysis tool and an emulated Asus router profile to analyze the attacks. The threat actors leveraged the command injection flaw to execute system commands, allowing them to install a backdoor in the router's non-volatile memory (NVRAM). This ensures that their access persists even after device reboots or firmware updates.
"The tactics used in this campaign — stealthy initial access, use of built-in system features for persistence, and careful avoidance of detection — are consistent with those seen in advanced, long-term operations, including activity associated with advanced persistent threat (APT) actors and operational relay box (ORB) networks," GreyNoise explained.
Scale and Impact
While the exact number of compromised devices remains unclear, researchers confirm that "thousands" of routers have been affected, with the number continuing to rise. The attackers' sophisticated methods and ability to maintain long-term, undetected access suggest a highly capable and well-resourced adversary.
Protecting Your Devices
Users of Asus routers are strongly advised to update their firmware to the latest version and review their device security settings. Ensuring strong, unique passwords and disabling unnecessary remote access features can help reduce the risk of compromise.
This incident highlights the ongoing risks posed by unpatched vulnerabilities in consumer hardware and the importance of proactive cybersecurity measures.
