at least 10 characters long, and include uppercase and lowercase letters, numbers, and symbolsIn May 2025, cybersecurity researchers discovered a sophisticated and ongoing campaign exploiting an Asus router vulnerability. This large-scale operation has compromised thousands of devices and turned them into part of a malicious proxy network. Attackers have hacked Asus routers by leveraging multiple previously patched vulnerabilities to install persistent backdoors that allow remote control.
Scope of the Attack: Over 9,000 Routers Compromised
According to data observed by GreyNoise, more than 9,000 Asus routers have been infected and are being used as part of a stealthy proxy network. These compromised routers enable attackers to relay traffic anonymously, potentially to obscure malicious activities.
The campaign has been active since at least March 2025 and shows signs of persistence and resilience — likely due to unpatched firmware and the effectiveness of the exploited Asus router vulnerability.
What Asus Has (and Hasn’t) Said So Far
As of the latest official statement, Asus has acknowledged the attack and confirmed it is resolvable, though they have yet to release a firmware patch specifically addressing it. So far, they have recommended the following actions for all users:
- Update to the latest firmware to ensure any previously patched Asus router vulnerability is closed.
- Perform a factory reset to remove unauthorized configurations or persistent threats.
- Use a strong password, at least 10 characters long, including uppercase and lowercase letters, numbers, and symbols.
- Disable remote management (such as SSH, DDNS, AiCloud, or Web Access from WAN) unless it is absolutely necessary.
Asus confirmed that the recommended countermeasures apply to both affected and End-of-Life (EoL) devices.
They have also urged users to follow standard security best practices and monitor their networks for unusual activity or performance degradation, especially if you suspect your Asus router was hacked.
How Hackers Are Breaking In and Taking Control
Attackers are exploiting multiple firmware vulnerabilities to install backdoors in Asus routers. One confirmed vulnerability is:
- CVE-2023-39780: A command-injection flaw that allows remote execution of system commands. Asus has already issued a patch for this flaw in a recent firmware update.
Other exploited vulnerabilities are patched but not yet assigned CVE IDs — indicating that many routers remain exposed due to delayed updates. These flaws are central to the broader Asus router vulnerability being exploited. Once compromised, the attackers configure the router to allow SSH access over port 53282 using a malicious digital certificate. The presence of an unusual or unauthorized SSH key is a common indicator of infection.
In addition to persistent SSH access, system logs from infected devices have shown repeated unauthorized login attempts originating from a small group of external IP addresses known to be linked to this campaign. If your system or firewall logs contain entries from unfamiliar or suspicious IPs, it could be a sign that your Asus router has been compromised.
Router Recovery Plan: Clean It. Block It. Update It
1. Remove the SSH Key and Port Setting
- Access your router configuration panel.
- Locate the SSH settings.
- Delete the unauthorized key beginning with: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAo41nBoVFfj4HlVMGV+YPsxMDrMlbdDZ…
- Disable SSH access over port 53282.
2. Block Malicious IP Addresses
- Open your router’s firewall or traffic filtering settings.
- Add rules to block incoming and outgoing connections to the following IP addresses: 101.99.91.151, 101.99.94.173, 79.141.163.179, 111.90.146.237.
3. Update the Firmware
- Visit the Asus Support website and install the latest firmware available for your model.
4. Factory Reset (if unauthorized access persists or you suspect deeper compromise)
- Perform a full factory reset by holding the reset button for 10+ seconds.
- Reconfigure the device from scratch, avoiding the use of old configuration backups.
Uncover Router Vulnerabilities Automatically Using Fing
A practical tool for assessing your router’s security is the Fing Router Vulnerability Check, available in the Starter, Premium, and Pro plans. This feature scans your router for known issues — including open ports that leave the device exposed to remote attacks — and alerts you to configuration risks.
Early detection via tools like Fing is critical to identifying if your Asus router has been hacked.
Don’t Wait: Secure Your Network Before It’s Too Late
This campaign underscores the dangers of internet-facing devices with known vulnerabilities. Asus routers hacked through stealthy backdoors can be used to anonymize criminal activity, without the owner’s knowledge.
Even if you do not use an Asus router, it’s essential to:
✅ Keep your firmware updated
✅ Disable unused services like remote administration
✅ Audit router settings regularly
✅ Block known malicious IP addresses proactively
✅ Use network scanners like Fing to detect open vulnerabilities
Act today to ensure your router isn’t silently helping cybercriminals operate in the shadows.
