Original article ISPreview UK:Read More
Customers of ASUS’ popular WiFi and broadband routers have been advised to ensure that they’re on the latest firmware (software update) after security researchers at GreyNoise published a new vulnerability, which has already allowed attackers to gain “unauthorized, persistent access” to thousands of devices exposed to the public internet.
The situation, which reminds us of a similar issue with DrayTek‘s routers that occurred earlier this year (here and here), sees attackers exploiting CVE-2023-39780 (severity score of 8.8 out of 10) – a command injection flaw – to execute system commands. But it’s a bit more complex than that, as some of the related exploits have yet to be given a designation.
Initial access to an affected router is gained via brute-force logins (i.e. trying masses of different combinations of logins/passwords) and two previously undisclosed authentication bypass vulnerabilities (neither have been assigned CVEs, yet). Once authentication has been bypassed, that’s when the attackers harness CVE-2023-39780 in order to take over your router.
GreyNoise Statement
The tactics used in this campaign — stealthy initial access, use of built-in system features for persistence, and careful avoidance of detection — are consistent with those seen in advanced, long-term operations, including activity associated with advanced persistent threat (APT) actors and operational relay box (ORB) networks. While GreyNoise has made no attribution, the level of tradecraft suggests a well-resourced and highly capable adversary.
The attacker’s access survives both reboots and firmware updates, giving them durable control over affected devices. The attacker maintains long-term access without dropping malware or leaving obvious traces by chaining authentication bypasses, exploiting a known vulnerability, and abusing legitimate configuration features.
As of 27th May 2025, nearly 9,000 ASUS routers are said to have been confirmed as compromised, based on scans from Censys, and the number of affected hosts is growing. The good news is that ASUS recently released new firmware for their routers to protect against the problem.
However, the bad news is that the attacker’s SSH configuration changes are NOT removed by firmware upgrades. Put another way, if a router was compromised before updating, the backdoor will still be present unless SSH access is explicitly reviewed and removed.
The research team thus recommends that owners of affected devices block the attacker(s) IP addresses (101.99.91.151, 101.99.94.173, 79.141.163.179 and 111.90.146.237) and then perform a full factory reset, then reconfigure manually. Credits to Thinkbroadband for spotting this one.