Skip to main content
close search
site logo

Thousands of ASUS routers compromised in sophisticated hacking campaign

Researchers have previously linked the suspected threat actor, dubbed ViciousTrap, to the exploitation of Cisco routers.

Published May 29, 2025
David Jones's headshot
Reporter
Broadband connections
Broadband, digital connections across a city. NicoElNino via Getty Images

More than 9,000 ASUS routers have been compromised in a months-long hacking campaign that researchers from GreyNoise warn may be a prelude to the creation of a botnet.

Hackers are breaching routers through brute-force login attempts and authentication bypasses that rely on a command injection vulnerability, tracked as CVE-2023-39780, to execute system commands, GreyNoise researchers said in a blog post on Wednesday.

GreyNoise first detected suspicious activity in March, when it flagged three suspicious HTTP POST requests made to ASUS routers, according to Matthew Remacle, senior researcher at GreyNoise.

ASUS released a patch for the vulnerability in a recent firmware update, but the initial bypass attempts have not received CVEs, according to GreyNoise. In addition, researchers say, if a router was compromised before the firmware was updated, a backdoor will still remain on the devices unless secure shell protocol access is explicitly disabled. 

GreyNoise’s count of the number of affected devices is based on scans from Censys.  

Researchers have not attributed the hacking campaign, but the tactics being used are consistent with those of advanced persistent threat (APT) groups. The hackers will remain in control of the devices even after reboots and firmware upgrades.

GreyNoise said government officials and industry partners asked the company to delay public disclosure while they coordinated the process of disclosing and fixing the flaws.

A spokesperson for the Cybersecurity and Infrastructure Security Agency (CISA) declined to comment on the disclosure and referred questions to ASUS.

A Sekoia report released last week links the hacking campaign to a threat actor dubbed ViciousTrap, which compromised more than 5,500 devices in an attempt to create a network similar to a honeypot. 

ViciousTrap has been monitoring a wide variety of edge devices, including small office/home office (SOHO) routers, baseboard management controllers, digital video recorders and other devices, with the goal of trying to exploit vulnerabilities in them, according to Sekoia researchers.

The firm linked ViciousTrap to the exploitation of a vulnerability in the web management interface of Cisco Small Business routers, tracked as CVE-2023-20118. The vulnerability allows an attacker to gain root-level privileges and access unauthorized data. 

Cisco said it would not release updates to address the vulnerability, but it issued guidance to help administrators disable an affected feature in the devices.

Filed Under: Vulnerability, Threats

Editors' picks

Company Announcements

View all | Post a press release
Bitcoin Tops $104K as Cloud Mining Gains Momentum — JA Mining Offers Regulated Entry Point and…
From JAMining
May 17, 2025
JAMining logo
Fraud on the Rise: Highway Blocks 400,000 Scams in Q1 2025
From Highway
May 19, 2025
Highway logo

Want to share a company announcement with your peers?

Get started

Editors' picks
Latest in Vulnerability
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.