9,000 ASUS Routers Compromised in Stealthy Backdoor Campaign

A campaign targeting nearly 9,000 ASUS routers globally has given attackers persistent, undetectable access, likely to build a botnet network for future operations.

The discovery, made by GreyNoise on March 18, 2025, was kept under wraps until coordination with government and industry partners was completed, culminating in a public report released today.

The campaign was detected by GreyNoise’s proprietary AI-powered network payload analysis tool, Sift, which flagged a small number of anomalous HTTP POST requests aimed at ASUS router endpoints. These requests, captured through GreyNoise’s fully emulated ASUS RT-AC3100 and RT-AC3200 routers running factory firmware, enabled researchers to reconstruct the attack chain and verify how access was obtained and maintained. Remarkably, the attack methods combine brute-force login attempts, authentication bypass techniques (including some with no assigned CVEs), and exploitation of CVE-2023-39780, a known command injection vulnerability.

ASUS, based in Taiwan, is a major global player in the networking and consumer electronics market, producing popular router models used by individuals, small businesses, and even some enterprise environments. Their routers often come preloaded with Trend Micro’s AiProtection security features, ironically a key target of the attackers in this campaign.

The attackers not only bypassed security controls but actively disabled them, using legitimate ASUS configuration features to establish SSH access on a custom port (TCP/53282), insert attacker-controlled SSH public keys, and store the backdoor setup in non-volatile memory (NVRAM). This makes the backdoor resilient to reboots and firmware updates, allowing long-term, stealthy control.

The attack chain starts with brute-force attempts and subtle authentication bypasses, followed by a command injection that exploits CVE-2023-39780. Notably, the attackers use official ASUS commands to touch the file /tmp/BWSQL_LOG, which enables Bandwidth DPI logging functions, and they configure persistent SSH access by adding their public key.

Once configured, the attackers can return at will, with no malware dropped and router logging conveniently disabled, leaving defenders largely blind.

The list of affected devices, compiled using Censys internet scans, includes ASUS RT-AX55 models running vulnerable firmware versions such as FW_RT_AX55_300438651598. Even after ASUS began releasing patches, inconsistencies like broken download links and incomplete fixes (as observed in firmware diffing work by researchers) left many devices exposed.

GreyNoise observed only 30 relevant network events over three months across its massive dataset, underlining the stealth and precision of the operation.

For users and administrators, defense steps should include:

• Immediately disconnecting vulnerable ASUS routers from the internet.
• Checking for unauthorized SSH keys and removing them.
• Factory resetting routers and applying the latest firmware updates.
• Manually verifying that logging and security features (like AiProtection) are re-enabled.
• Changing all default and weak credentials, especially on admin accounts.
• Monitoring network activity for unusual outbound connections, particularly over high-numbered SSH ports like TCP/53282.

While ASUS has released patches addressing CVE-2023-39780, GreyNoise warns that firmware updates alone do not remove the SSH backdoor, as the malicious configuration persists in NVRAM. Only a full factory reset can wipe these changes.