ASUS routers have recently been identified as targets in a sophisticated cyberattack campaign that establishes a persistent backdoor, surviving both firmware updates and device reboots. This discovery underscores the evolving nature of cyber threats and the necessity for vigilant security practices among users.
Discovery of the Backdoor
In March 2025, cybersecurity firm GreyNoise detected unusual HTTP POST requests directed at internet-facing ASUS routers operating on factory firmware. The affected models include the RT-AC3100, RT-AC3200, and RT-AX55. Further investigation revealed a covert intrusion campaign that had remained undetected for several months.
Mechanism of the Attack
Attackers exploited weak credentials and two authentication bypass vulnerabilities to gain unauthorized access. They then leveraged the patched ASUS router vulnerability CVE-2023-39780 to execute commands. Instead of deploying traditional malware, the attackers enabled SSH access on port 53282 using legitimate ASUS settings and installed their SSH public key. These modifications were written to non-volatile memory, ensuring the backdoor’s persistence even after firmware updates and device reboots. To evade detection, logging was disabled before establishing persistence.
Implications and Scope
GreyNoise has not attributed the campaign to a specific group but noted that the level of sophistication aligns with advanced persistent threat actors. The infrastructure appears designed for long-term access, potentially serving as part of a broader command-and-control or relay network. As of May 27, scanning data from Censys indicated that over 9,000 ASUS routers exhibited signs of compromise, with numbers continuing to rise.
Historical Context
This incident is not isolated. In 2018, the VPNFilter malware infected approximately 500,000 routers worldwide, including ASUS models. VPNFilter was capable of data theft, device exploitation, and rendering routers inoperable. The FBI recommended rebooting routers to disrupt the malware, but emphasized that this was a temporary measure. A factory reset was necessary to fully remove the infection. Similarly, in 2022, the Cyclops Blink malware, linked to the Russian-backed Sandworm hacking group, targeted ASUS routers, establishing persistence and allowing remote access to compromised networks.
Recommended Actions for ASUS Router Owners
Given the persistence of the current backdoor, ASUS router owners should take the following immediate actions:
1. Check for Unauthorized SSH Access: Verify if SSH access is enabled on port TCP/53282.
2. Review User Accounts: Examine the list of authorized users and SSH keys to identify any unauthorized additions.
3. Update Firmware: Ensure the router is running the latest firmware version, as ASUS has patched CVE-2023-39780 and addressed undocumented login bypasses.
4. Perform a Factory Reset: To eliminate any persistent backdoors, perform a factory reset of the router. This process will erase all configurations and should be followed by reapplying the latest firmware update.
5. Change Default Credentials: Replace default usernames and passwords with strong, unique credentials to prevent unauthorized access.
6. Disable Remote Management: Unless necessary, disable remote management features to reduce exposure to potential attacks.
7. Monitor Network Traffic: Regularly monitor network traffic for unusual activity that may indicate compromise.
Conclusion
The discovery of a persistent backdoor in ASUS routers highlights the critical importance of proactive cybersecurity measures. Users must remain vigilant, regularly update firmware, and adhere to best practices to safeguard their networks against evolving threats.
