ASUS is a popular broadband router manufacturer with customers across the globe including in the UK. Researchers at GreyNoise.io used their in-house AI anomaly detection tool Sift to discover unexpected traffic targeting ASUS routers on 17 March 2025. They have confirmed over 9,000 devices affected so far (based on Censys scans), although the numbers are still increasing. This has been going ‘quietly’ with GreyNoise only seeing 30 related requests in three months.
The disclosure to ASUS is believed to have been made on 23 March, giving the company time to address the issue with the publication of the blog article on 28 May. However, it means that the attack has been going on for some weeks, to possibly months.
“GreyNoise has identified an ongoing exploitation campaign in which attackers have gained unauthorized, persistent access to thousands of ASUS routers exposed to the internet. This appears to be part of a stealth operation to assemble a distributed network of backdoor devices — potentially laying the groundwork for a future botnet.
The tactics used in this campaign — stealthy initial access, use of built-in system features for persistence, and careful avoidance of detection — are consistent with those seen in advanced, long-term operations, including activity associated with advanced persistent threat (APT) actors and operational relay box (ORB) networks. While GreyNoise has made no attribution, the level of tradecraft suggests a well-resourced and highly capable adversary.”
Technical Detail
Attackers gained unauthorised access through a combination of methods including brute-force login attempts, authentication bypasses and a command injection vulnerability (CVE-2023-39780) which permits execution of arbitrary commands.
After gaining access, attackers establish their long term presence by activating SSH on port 53282/tcp and inserting their own SSH key into the authorized_keys file on the router. Logging on the router is disabled and nothing else is installed in an attempt to remain stealthy. This suggests preparation for future use rather than immediate exploitation.
Rebooting the router or updating firmware will not remove access if it has already been compromised.
A full technical analysis has been published by GreyNoise.
Indicators of Compromise
Researchers have identified some IP addresses linked to the Command and Control (C2) infrastructure which network operators (using flow statistics) and security vendors can use to identify likely targets which have been compromised. These have been exchanging SSH traffic (although note the port number above). This is not an exhaustive list:
101.99.91.151101.99.94.17379.141.163.179111.90.146.237
Users can check their routers for any unexpected SSH keys in the authorized_keys file, as well as any devices running on port 53282/tcp.
If you have an affected ASUS router, upgrade the firmware as per ASUS instructions to patch CVE-2023-39780, however note this doesn’t remove access if it has already been compromised. You must check the SSH keys as well. A full ‘factory reset’ should remove the problem however you need to start with a fresh configuration and not restore from backup as this may contain the SSH keys.
ISPs may wish to block the above IPs as a precaution and monitor usage, although this is likely to only be a short term solution as there will likely be other IPs in use.
These kinds of security issues are affecting several manufacturers with Draytek having issues a couple of months ago. Users need to ensure they maintain up-to-date router configurations, and consider using an ISP-supplied and managed router if they are unsure about how to do this.
From what we can see on Censys, there aren’t large numbers currently showing in the UK which may meet the specific criteria above, however it’s important to note that the attack being rather specific could also mean it’s not exclusive to the port number above, and we’d encourage all Asus router users to check the SSH keys file.
From poking around the US centric SMBforums this appears to be new malware exploiting a vulnerability patched in 2023. Perhaps this is a timely reminder to people that run non-ISP routers to keep them updated, and replace when firmware updates stop.
We’ve been looking at this issue following the Draytek vulnerability. I chatted to TP-Link at Connected North who gave some really good answers (unlike their customer support team when I asked before) on support life. I think the problem is that expiry dates need to really be printed on front of routers and they need to require users to do something if they want to use them after expiry, like click something on the homepage every X months.. For most users an ISP-provided solution is probably best.
Want to do a feature on this. I wonder if we could build a database of routers which aren’t supported any more.