Users relying on Asus routers may still be exposed to a stealth backdoor campaign, even after updating firmware.
Asus routers have been compromised in a stealth backdoor campaign that persists even after firmware updates, according to cybersecurity firm GreyNoise. The firm disclosed its findings May 28 after coordinating with government and industry partners.
GreyNoise first discovered the campaign March 18, 2025, using its AI-powered network analysis tool, Sift. The system flagged anomalous HTTP POST requests targeting internet-facing Asus routers running factory firmware.
The affected routers include the popular RT-AC3100, RT-AC3200, and RT-AX55 models. Follow-up inspection revealed a discreet intrusion campaign that had avoided detection for months.
Attackers used weak credentials and two authentication bypasses to access the system. Next, they exploited the patched Asus router vulnerability CVE-2023-39780 to execute commands.
Instead of installing malware, they enabled SSH access on port 53282 using legitimate Asus settings and installed their SSH public key. The changes were written to non-volatile memory, meaning the backdoor survives firmware updates and reboots.
Logging was disabled before persistence was established, allowing the attack to fly under the radar.
Advanced stealth suggests long-term planning
GreyNoise hasn’t attributed the campaign to a specific group, but said the level of tradecraft is consistent with advanced persistent threat actors. The infrastructure appears designed for durable access, possibly as part of a broader command-and-control or relay network.
GreyNoise observed only 30 related requests over a three-month period. According to scanning data from Censys, more than 9,000 Asus routers showed signs of compromise as of May 27, with the number continuing to climb.
Asus patched CVE-2023-39780 in a recent firmware update. The undocumented login bypasses also appear to be addressed.
However, routers compromised before the update may still be vulnerable if SSH access was established and not removed. And, the infection is still present, even after the patch.
How to stay safe
GreyNoise recommends the following immediate actions for Asus router owners.
- Check for SSH access on port TCP/53282.
- Review the authorized_keys file for unknown entries.
- Block the following IPs associated with the attack: 101.99.91.151, 101.99.94.173, 79.141.163.179, 111.90.146.237
- If compromise is suspected, perform a full factory reset and reconfigure the device manually.
To reduce your risk of router compromise, it’s important to follow several best practices. Regularly updating your router’s firmware is crucial, as security patches are often the only defense against known vulnerabilities.
Additionally, changing the default passwords for both router access and your Wi-Fi network is essential. Use strong, unique passwords to enhance security.
Disabling remote management is another effective measure if you don’t need access from outside your local network. Periodically auditing your router settings can help identify unknown SSH keys, open ports, or unfamiliar configurations.
Implementing a network firewall, even a simple one, can block suspicious inbound and outbound traffic. Lastly, checking manufacturer advisories from companies like Asus can provide updates or alerts about active threats.
