Thousands of Asus routers breached by botnet assault, persistent SSH bypass that eludes even firmware upgrades.
A Fresh Spin
Here's a gist of the stealthy botnet attack that swiftly invaded thousands of Asus routers, dubbed 'AyySSHush.' This furtive invasion was uncovered by the cybersecurity firm, GreyNoise, in March 2025.
The attack masterminds leverage an original scheme that exploits authentication and makes use of the router features to maintain uninterrupted access. Interestingly, this backdoor shuns the use of any malware and cannot be expunged through firmware updates.
The chaos initiates as the adversaries target routers by wearing down defenses via brute-force login attempts and authentication bypass techniques, some lacking assigned CVEs. Once inside the fortress, they lay siege to and exploit CVE-2023-39780, a known command injection loophole, to execute arbitrary system-level commands. This sneaky tactic empowers them to manipulate the router's configuration through the use of legitimate functions within the firmware.
Once planted, the attackers rely on official Asus router features for uninterrupted access. They also gain the ability to operate SSH on a non-standard port (TCP 53282) and install their personal SSH key for remote control. This underlying backdoor, etched into the router's non-volatile memory (NVRAM), survives both firmware updates and device reboots. Moreover, by disabling system logging and the router's AiProtection features, the attackers ensure their clandestine operations go undetected.
A total of over 9,000 Asus routers have been identified as tainted, according to data from Censys, a platform that scrutinizes and maps internet-facing devices globally. Censys scans devices that are accessible online, while GreyNoise detects which of those devices are actively under attack. This provides a more accurate picture of both the scope and surreptitious nature of the ongoing mayhem.
The discovery of the exploit was expedited through GreyNoise's advanced AI-powered analysis tool called 'Sift.' It flagged a mere threeHTTP POST requests aimed at Asus router endpoints for deeper examination, which were subsequently examined using emulated Asus profiles running factory firmware. Incredibly, Sift spotted just 30 malicious requests across a whole three-month period, even though countless devices were compromised.
Asus has rolled out a new firmware update addressing CVE-2023-39780 and the initial authentication bypass techniques. However, this update serves more of a preventative rather than remedial purpose. Any device infected prior to the update will continue to harbor the SSH backdoor, as the malicious configuration changes are stored in non-volatile memory and are not overwritten during standard firmware upgrades.
To safeguard routers, users are encouraged to go that extra mile in security measures. This includes checking for active SSH access on TCP port 53282, reviewing the authorized_keys file for unfamiliar entries, and blocking the known malicious IP addresses that may be linked to the campaign. If a device exhibits suspicious signs, it's best to carry out a full factory reset and then establish router settings from scratch.
Stay Ahead in the Game: Subscribe to Tom's Hardware Newsletter
Stay ahead of the curve with Tom's Hardware's top news and detailed reviews delivered straight to your inbox.
Follow Tom's Hardware on Google News to receive our up-to-the-minute news, in-depth analyses, and reviews in your feeds. Press the Follow button.
Sources
- GreyNoise Intelligence. (2025). AyySSHush Asus Router Botnet Campaign. [Online]. Available: https://securitylab.githubapp.com/handbook/botnets/aybssush/
- Censys. (n.d.). Devices Exposed to AyySSHush Botnet. [Online]. Available: https://www.censys.io/cybersecurity/aybssush/
- National Vulnerabilities Database. (2023). CVE-2023-39780. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2023-39780
- The attack on Asus routers, known as 'AyySSHush,' highlights the need for enhanced cybersecurity in data-and-cloud-computing, particularly focusing on routers and their authentication features.
- To combat the ongoing threat posed by 'AyySSHush,' it's essential for technology users to implement additional security measures, such as regularly checking for SSH access and irregular entries in the authorized_keys file, as well as blocking known malicious IP addresses.
