Over 140,000 ASUS routers at risk due to a critical security flaw
In recent times, small office/home office (SOHO) and edge devices, particularly routers from ASUS, have been under the spotlight due to active exploitations of vulnerabilities. These vulnerabilities allow attackers to gain persistent, stealthy control over these devices.
The most notable threat group using these exploits is the "AyySSHush" (also known as "Ace Hush") campaign. This group targets ASUS routers through various methods, including brute-force attacks, authentication bypasses, and command injection vulnerabilities. One such vulnerability, CVE-2023-39780, has been noted[1].
The AyySSHush attackers exploit ASUS AiProtection features and command injection flaws to embed backdoors in the router's non-volatile memory. This means that even after firmware updates, these backdoors can persist, requiring a factory reset to remediate[1].
Researchers have also documented kernel-level exploits in ASUS Armory Crate’s ASIO3 driver. This enables attackers to gain low-level hardware access, broadening the attack surface, especially when non-essential utilities automatically reinstall themselves via BIOS or Windows firmware updates[1].
Despite security patches released by ASUS in May and June 2025, some vulnerabilities remain actively exploited in 2025[1][5]. These exploitations and persistent backdoors place SOHO edge devices at unusually high risk of sustained remote compromise, potentially allowing attackers to intercept traffic, steal credentials, or launch broader network attacks.
While there is a lack of public indication of multiple well-known threat actor groups specifically targeting ASUS routers in 2025, ongoing campaigns involving IoT and SOHO devices typically originate from sophisticated cybercriminal or espionage groups focused on exploiting these widespread consumer network devices.
To mitigate these risks, it is recommended to:
- Immediately update firmware from ASUS security advisories[5].
- Factory reset routers suspected to be compromised due to the persistence of backdoors[1].
- Uninstall non-essential ASUS utilities such as Armory Crate that can reinstate vulnerabilities via BIOS or system updates[1].
- Disable automatic reinstall mechanisms in BIOS and Windows settings for utilities[1].
- Monitor router login ports (e.g., port 53282 associated with some of these vulnerabilities) and employ network segmentation to limit exposure[2].
This active exploitation scenario underscores the importance of vigilant patch management and proactive device hygiene in reducing risk. SOHO edge devices, due to their privileged network position and historically weaker security update adoption, remain prime targets for such attacks.
In summary, the AyySSHush campaign is the known and active threat group exploiting ASUS router vulnerabilities in 2025. Users and organizations should urgently update firmware, factory reset devices if compromised, remove vulnerable bloatware, and monitor network activity as primary defensive measures[1][5].
[1] Source: Censys Research [2] Source: US-CERT [3] Source: TechCrunch [4] Source: The Hacker News [5] Source: ASUS Security Advisory June 14, 2025
The AyySSHush (also known as "Ace Hush") campaign is a known threat group actively exploiting vulnerabilities in ASUS routers, particularly utilizing command injection flaws and CVE-2023-39780 vulnerability. To mitigate these risks, it's essential to update firmware, factory reset devices if compromised, uninstall non-essential ASUS utilities, and disable automatic reinstall mechanisms.
