FlagThis - #asus

A new botnet campaign, dubbed AyySSHush, is targeting ASUS routers, compromising over 9,000 devices globally. The attackers are exploiting a known command injection vulnerability, CVE-2023-39780, along with other authentication bypass techniques to gain unauthorized access. Models such as RT-AC3100, RT-AC3200, and RT-AX55 are among those being targeted, with attackers seeking to establish a persistent presence within the compromised routers. GreyNoise researchers, who uncovered the campaign, emphasize the stealthy tactics employed, which include disabling router logging and avoiding the installation of malware, making detection difficult.

Attackers initially gain access to ASUS routers through brute-force login attempts and the exploitation of authentication bypass flaws, including techniques that have not yet been assigned CVEs. Once inside, they leverage the CVE-2023-39780 command injection vulnerability to execute system commands and modify router settings. These commands enable SSH access on a custom port, typically TCP/53282, and insert an attacker-controlled public key for remote access. This allows the attackers to maintain a persistent backdoor into the compromised routers, even after firmware upgrades and reboots.

As a result of this sophisticated campaign, compromised ASUS routers require a factory reset to fully remove the persistent SSH backdoor. Standard firmware updates are insufficient, as the attackers abuse legitimate router configuration features stored in non-volatile memory (NVRAM). GreyNoise recommends users rotate all authentication tokens, including passwords and SSH keys, and perform a factory reset to clear the affected devices' NVRAM. Users can also use runZero's service inventory to locate potentially impacted assets by querying for SSH protocol on port 53282, or scan for the attacker’s public key using the SSHamble tool.


References :

• cyberinsider.com: A campaign targeting nearly 9,000 ASUS routers globally has given attackers persistent, undetectable access, likely to build a botnet network for future operations.
• The GreyNoise Blog: GreyNoise uncovers a stealth campaign exploiting ASUS routers, enabling persistent backdoor access via CVE-2023-39780 and unpatched techniques. Learn how attackers evade detection, how GreyNoise discovered it with AI-powered tooling, and what defenders need to know.
• Blog: ASUS routers exposed to the public Internet are being compromised, with backdoors being installed. Here's how to find impacted assets on your network.
• www.scworld.com: ASUS router backdoors affect 9K devices, persist after firmware updates
• securityonline.info: Beyond Malware: Stealthy ASUS Router Exploitation Survives Reboots, Builds Botnet
• bsky.app: Over 9,000 ASUS routers are compromised by a novel botnet dubbed "AyySSHush" that was also observed targeting SOHO routers from Cisco
• securityaffairs.com: New AyySSHush botnet compromised over 9,000 ASUS routers, adding a persistent SSH backdoor.
• securityonline.info: Beyond Malware: Stealthy ASUS Router Exploitation Survives Reboots, Builds Botnet.
• CyberInsider: 9,000 ASUS Routers Compromised in Stealthy Backdoor Campaign
• BleepingComputer: Botnet hacks 9,000+ ASUS routers to add persistent SSH backdoor
• www.techradar.com: Thousands of Asus routers hacked to create a major botnet planting damaging malware.
• The Register - Security: 8,000+ Asus routers popped in 'advanced' mystery botnet plot
• PCMag UK security: Cybercriminals Hack Asus Routers: Here's How to Check If They Got Into Yours
• eSecurity Planet: Over 9,000 Routers Hijacked: ASUS Users Caught in Ongoing Cyber Operation
• www.itpro.com: Asus routers at risk from backdoor vulnerability
• www.csoonline.com: New botnet hijacks AI-powered security tool on Asus routers
• www.esecurityplanet.com: Over 9,000 ASUS routers were hacked in a stealth cyberattack exploiting CVE-2023-39780.
• cyble.com: Researchers disclosed that attackers have exploited this vulnerability in a widespread and stealthy botnet campaign, compromising over 9,000 ASUS routers and enabling persistent, unauthorized access to the affected devices.
• hothardware.com: Heads up if you have an Asus router in your home or office, as there's a backdoor exploit doing the rounds affecting 9,000 devices and counting.
• techvro.com: GreyNoise has exposed the AyySSHush botnet infecting over 9,000 ASUS routers, urging owners to factory reset devices as firmware updates alone won’t remove the hidden backdoor.
• Techzine Global: New botnet creates permanent backdoors in ASUS routers
• securityonline.info: AyySSHush: New Stealthy Botnet Backdoors ASUS Routers, Persists Through Firmware Updates
• securityonline.info: SecurityOnline: AyySSHush: New Stealthy Botnet Backdoors ASUS Routers, Persists Through Firmware Updates
• Catalin Cimpanu: -AyySSHush botnet infects 9k ASUS routers
• Blog: In early 2025, cybersecurity researchers uncovered a stealthy campaign compromising over 9,000 ASUS routers. Dubbed "AyySSHush," this operation targets specific ASUS models, including RT-AC3100, RT-AC3200, and RT-AX55, by exploiting a known command injection vulnerability, designated CVE-2023-39780, alongside other authentication bypass techniques.
• www.zdnet.com: Cybercriminals have hacked into thousands of Asus routers. Here's how to tell if yours is compromised.

Classification:

• HashTags: #ASUS #RouterSecurity #Botnet
• Company: ASUS
• Target: ASUS router users
• Product: Routers
• Feature: botnet infection
• Malware: AyySSHush
• Type: Malware
• Severity: Major

ASUS DriverHub, a driver management utility designed to simplify updates by automatically detecting motherboard models, is facing scrutiny following the discovery of critical security flaws. Cybersecurity researchers identified vulnerabilities, designated as CVE-2025-3462 and CVE-2025-3463, that could allow malicious actors to remotely execute code on systems with the software installed. These flaws stem from insufficient HTTP request validation, potentially enabling unauthorized remote interactions with the software and the ability for malicious sites to execute commands with administrative rights.

Researchers discovered a one-click remote code execution vulnerability in ASUS's pre-installed DriverHub software. The attack vector involves tricking users into visiting a malicious subdomain of driverhub.asus[.]com. By leveraging the DriverHub's UpdateApp endpoint, attackers can execute a legitimate version of "AsusSetup.exe" with modified parameters that enable the execution of arbitrary files hosted on the attacker's domain. This exploit requires the creation of a malicious domain hosting three files: the payload, a modified AsusSetup.ini with a "SilentInstallRun" property pointing to the payload, and the legitimate AsusSetup.exe.

ASUS has released an update, version 1.0.6.0 or newer, to address these vulnerabilities and urges users to update immediately. The update includes important security fixes to mitigate the risk of remote code execution. Users are advised to open the ASUS DriverHub utility and click the "Update Now" button to complete the patching process. While there are no confirmed cases of active exploitation in the wild, a proof of concept exploit exists, highlighting the potential danger, especially for sectors relying heavily on ASUS motherboards.


References :

• securityonline.info: Critical Security Flaws Found in ASUS DriverHub: Update Immediately
• Rescana: Vulnerabilities in ASUS DriverHub Exposed: CVE-2025-3462 and CVE-2025-3463 Analysis
• cyberinsider.com: Critical Flaw in ASUS DriverHub Exposes Users to Remote Code Execution
• securityaffairs.com: Researchers found one-click RCE in ASUS’s pre-installed software DriverHub
• The DefendOps Diaries: ASUS DriverHub Vulnerability: Understanding and Mitigating CVE-2025-3463
• The Hacker News: ASUS Patches DriverHub RCE Flaws Exploitable via HTTP and Crafted .ini Files
• BleepingComputer: The ASUS DriverHub driver management utility was vulnerable to a critical remote code execution flaw that allowed malicious sites to execute commands on devices with the software installed.
• bsky.app: ASUS DriverHub driver management utility was vulnerable to a critical remote code execution flaw that allowed malicious sites to execute commands on devices with the software installed.
• www.techradar.com: Details on ASUS DriverHub driver management tool targeted by RCE vulnerability
• www.scworld.com: ASUS DriverHub vulnerabilities fixed
• Tech Monitor: TechMonitor article about ASUS DriverHub security vulnerability
• the420.in: The420.in
• Blog: ASUS patches RCE flaw in DriverHub utility
• socradar.io: CVE-2025-3462 & CVE-2025-3463: ASUS DriverHub Flaws Enable RCE

Classification:

• HashTags: #ASUS #DriverHub #RCE
• Company: ASUS
• Target: ASUS users
• Product: DriverHub
• Feature: driver update
• Malware: CVE-2025-3462 and CVE-2025-3463
• Type: Vulnerability
• Severity: Major