ASUS Router Apocalypse Is Your Network Next?

Urgent Security Alert: Thousands of ASUS Routers Hijacked in Sophisticated Botnet Attack

A critical security vulnerability has been uncovered, revealing that thousands of ASUS wireless routers have been compromised by a sophisticated botnet operation. This alarming development, initially detected by security researchers at GreyNoise in March, targets not only ASUS devices but also extends to routers from other leading manufacturers like Cisco, D-Link, and Linksys.

What makes this attack particularly insidious is its ability to persist even after firmware updates, leaving affected routers vulnerable and under the long-term control of malicious actors.

Key Highlights of the ASUS Router Compromise:

• Widespread Impact: Thousands of ASUS routers are confirmed to be compromised.
• Persistence: Attackers maintain control even after reboots and firmware updates.
• Stealth Operation: The attack aims to build a distributed network of backdoor devices, potentially for a future large-scale botnet.
• Sophisticated Techniques: The exploit chains authentication bypasses, exploits known vulnerabilities, and abuses legitimate configuration features.

Who's Behind the Attack?

Speculation points towards a possible nation-state actor, suggesting the potential for a highly coordinated and well-resourced operation. The ultimate goal appears to be leveraging the compromised routers for future large-scale exploits.

Affected ASUS Router Models:

The following ASUS router models are known to be affected:

• RT-AC3100
• RT-AC3200
• RT-AX55

The Danger of Firmware Updates Alone:

Simply updating your router's firmware after it has been compromised will not remove the backdoor access. As GreyNoise explains, the attackers use official ASUS features to add a key that persists across firmware upgrades. "If you’ve been exploited previously, upgrading your firmware will NOT remove the SSH backdoor."

Furthermore, the exploit disables logging, making it difficult to detect the compromise in the first place.

Immediate Actions to Take:

If you own one of the ASUS router models listed above, take these steps immediately to secure your network:

1. Factory Reset: Perform a full factory reset on your router. This is the only way to ensure the complete removal of the compromise.
2. Firmware Update: After the factory reset, immediately update your router's firmware to the latest version. This will prevent future exploitation.

Other Brands: Cisco, D-Link, and Linksys

While Cisco, D-Link, and Linksys devices have been targeted, there are no confirmed reports of successful infections at this time. However, it's always a good practice to keep your router's firmware up to date, regardless of the brand.

Staying Protected:

This incident serves as a stark reminder of the importance of router security. By taking the recommended steps and staying vigilant, you can significantly reduce your risk of falling victim to such attacks. For more detailed information, you can visit GreyNoise.

In today's interconnected world, securing our home networks is more critical than ever. A proactive approach to security, combined with timely updates and awareness, can make all the difference in safeguarding your digital life. Stay safe, and keep your networks secure.

Source: https://9to5mac.com/2025/05/29/psa-thousands-of-asus-wireless-routers-compromised-by-botnet/