Thousands of Asus home and small office routers have fallen victim to a stealthy backdoor campaign, according to cybersecurity researchers. The attack, believed to be orchestrated by a nation-state or a highly resourced threat actor, enables persistent unauthorized access to affected devices.
How the Attack Works
The attackers exploit vulnerabilities—some of which were previously untracked in the CVE system—to gain administrative control over Asus routers. Once inside, they install a public encryption key, allowing anyone with the corresponding private key to log in via SSH with full system rights.
Persistence and Stealth
What makes this campaign particularly concerning is its resilience. According to researchers at security firm GreyNoise, the backdoor survives both device reboots and firmware updates. This durable control is achieved by chaining together authentication bypasses, exploiting known vulnerabilities, and abusing legitimate configuration features—without deploying traditional malware or leaving obvious traces.
Scope of the Compromise
GreyNoise has identified approximately 9,000 compromised Asus routers globally, with the number continuing to rise. So far, there is no evidence that the attackers have used these devices for further malicious activity. Instead, researchers believe this may be the early phase of a larger operation, with the attackers amassing a network of compromised devices for potential future use.
Expert Insights
“The attacker’s access survives both reboots and firmware updates, giving them durable control over affected devices,” GreyNoise researchers reported. “The attacker maintains long-term access without dropping malware or leaving obvious traces by chaining authentication bypasses, exploiting a known vulnerability, and abusing legitimate configuration features.”
What Users Should Do
Owners of Asus routers are urged to ensure their devices are running the latest firmware and to review security settings. Regularly updating passwords and monitoring for unusual activity can help mitigate risk, though the sophistication of this attack highlights the importance of ongoing vigilance and timely patching.
