Thousands of Asus routers have been compromised in a silent, persistent attack that gives hackers remote access, even after firmware updates.
Cybersecurity firm GreyNoise uncovered the campaign, which targets internet-facing Asus models like the RT-AC3100 and RT-AX55. Attackers use brute-force logins or old vulnerabilities to gain admin access, then exploit a flaw (CVE-2023-39780) to enable hidden logging features and install a stealthy backdoor.
SSH access is then enabled through official settings, with an attacker-controlled key added. GreyNoise warns this “persists across firmware upgrades” and may be part of a long-term botnet operation, with over 4,800 affected devices already detected.
Businesses using Asus routers should check for SSH on port 53282, inspect authorised\_keys, and block known malicious IPs. If compromise is suspected, only a full factory reset can remove the backdoor.
“Many thanks again for all of your work getting us up and running in the cloud and getting us organised, another happy customer.”
- Karen Cotton -