ASUS has released firmware updates addressing nine vulnerabilities in AiCloud-enabled routers, including a critical authentication-bypass flaw (CVE-2025-59366) that could allow remote, unauthenticated command execution via Samba-related issues. This development compounds earlier 2025 ASUS router risks and follows the previously reported stealthy attack wave.
Operation WrtHug is a sophisticated cyber-espionage campaign that has transformed thousands of home and small-office ASUS routers into unwitting tools for global surveillance and network attacks. This operation, uncovered by SecurityScorecard’s STRIKE team on November 19th, targets specific ASUS router vulnerability issues to infiltrate and control devices across the world, particularly exploiting end-of-life (EoL) hardware.
If you’re wondering whether your router could be next, keep reading and discover how to automatically detect vulnerabilities later in the article using Fing.
How the ASUS Router Hack Works
Operation WrtHug leverages a collection of publicly known vulnerabilities, often called “Nth day” exploits, to gain high-level control over ASUS routers. This method mirrors the tactics seen in other recent ASUS router hack incidents. The attack primarily abuses the AiCloud service, a remote access feature, for initial entry. Once compromised, these routers are roped into a vast botnet, controlled by suspected state-sponsored threat actors.
Key vulnerabilities utilized are:
- CVE-2023-39780, a severe bug rated 8.8 on the CVSS scale and linked to OS command injection, collectively grouping CVE-2023-41345, CVE-2023-41346, CVE-2023-41347, CVE-2023-41348
- CVE-2024-12912: Arbitrary command execution with a 7.2 CVSS score.
- CVE-2025-2492: Improper authentication control, rated 9.2 CVSS.
ASUS Routers Hacked Models
Once infected, these routers are incorporated into the botnet and used to proxy malicious traffic and expand espionage infrastructure, the hallmark of an advanced ASUS router cyberattack. The following models have been targeted so far:
- ASUS Wireless Router 4G-AC55U
- ASUS Wireless Router 4G-AC860U
- ASUS Wireless Router DSL-AC68U
- ASUS Wireless Router GT-AC5300
- ASUS Wireless Router GT-AX11000
- ASUS Wireless Router RT-AC1200HP
- ASUS Wireless Router RT-AC1300GPLUS
- ASUS Wireless Router RT-AC1300UHP
Researchers identified over 50,000 unique IP addresses associated with compromised devices globally. Infected routers share a unique, long-term TLS certificate (a digital fingerprint used to track the campaign) valid for 100 years, underscoring the attackers’ intent for persistence and stealth.
Recent ASUS Router Cyberattacks
Operation WrtHug is not the first ASUS router cyberattack tracked in 2025. In May 2025, a separate operation exploited a similar ASUS router vulnerability compromising over 9,000 devices for use in a stealthy proxy network, according to data observed by GreyNoise. ASUS has since acknowledged the issue, advising users to update devices to the latest firmware, perform a factory reset, use strong passwords, and disable remote management unless necessary (guidance that applies to even EoL models). These ongoing threats heighten the urgency of regular patching and device monitoring for all router users.
Prior to that, in March 2025, the PolarEdge botnet sought to take root in not just routers but also NAS systems from major brands including Synology, Cisco, QNAP, as well as ASUS. The frequency and boldness of these attacks point to a pattern in the intent to exploit not just known vulnerabilities, but also legacy and outdated devices. This further highlights the urgency in which potentially affected owners of these devices must act.
Secure Your Router Before It’s Too Late
To defend against ASUS router vulnerabilities and botnet recruitment, users should:
- Regularly update router firmware to ensure patches for any known ASUS router vulnerability are applied.
- Disable unnecessary services like AiCloud and remote management if not in use.
- Change default credentials to strong, unique passwords.
- Conduct vulnerability scans with tools such as the Fing Router Vulnerability Check, which identifies exposed ports and risky configurations.
- Consider a factory reset if compromise is suspected, and audit network devices for unauthorized changes.
For step-by-step security checks, users can refer to Fing’s comprehensive router security guide, which includes automated scan options and actionable alerts for vulnerable setups.
Operation WrtHug demonstrates the evolving danger posed by neglected and legacy hardware in home and office networks. Vigilance, proactive updates, and the use of security tools are crucial in disrupting these global botnet campaigns before they take root.
Uncover Router Vulnerabilities Automatically Using Fing
You don’t need to wait for an article like this to discover your router, and potentially your entire network, has been compromised. A practical tool for assessing your router’s security is the Fing Router Vulnerability Check, available with all Fing subscriptions. This feature scans your router for known issues — including open ports that leave the device exposed to remote attacks — and alerts you to configuration risks, helping you detect potential compromises early.
