A widespread and sophisticated hacking campaign has compromised more than 9,000 ASUS routers, raising alarm bells among cybersecurity experts who warn the breach may be a precursor to a large-scale botnet. According to cybersecurity firm GreyNoise, the attacks have been unfolding over several months and are primarily driven by brute-force login attempts and a critical command injection vulnerability, officially catalogued as CVE-2023-39780.
The vulnerability allows attackers to execute system commands on vulnerable routers, effectively gaining unauthorized control over the devices. Although ASUS Routers recently released a firmware update to patch the flaw, GreyNoise researchers emphasized that routers compromised prior to the update may still contain hidden backdoors unless secure shell (SSH) access is manually disabled.
Initial signs of the campaign surfaced in March 2025 when GreyNoise detected unusual HTTP POST requests targeting ASUS routers. These early indicators have since evolved into a full-blown exploitation effort, according to senior researcher Matthew Remacle. Despite ASUS issuing a fix, GreyNoise noted that earlier authentication bypass methods used in the attacks have not yet been officially assigned CVE identifiers.
ASUS Routers Suspected Nation-State Actor May Be Behind the Breach
While no actor has officially been linked to the breach, cybersecurity experts point to tactics commonly associated with advanced persistent threat (APT) groups, highly skilled hackers often backed by nation-states. These techniques enable attackers to maintain control of compromised devices even after firmware updates or system reboots.
Further insight came from a recent report by cybersecurity firm Sekoia, which identified a threat actor dubbed ViciousTrap as likely responsible. The group has reportedly compromised over 5,500 devices in a campaign that resembles the creation of a pseudo-honeypot, a deceptive network designed to lure in attackers and observe their behavior.
ViciousTrap has also been linked to previous attacks targeting a broad array of edge devices, including baseboard management controllers, digital video recorders, and routers typically used in small office/home office (SOHO) environments. In one earlier incident, the group exploited a critical flaw in the web management interface of Cisco Small Business routers, tracked as CVE-2023-20118, which allowed attackers to gain root access and extract sensitive data.
Industry and Government Agencies Respond
GreyNoise reported that it delayed public disclosure of the ASUS router campaign at the request of government officials and industry partners who were coordinating a broader mitigation effort. While the U.S. Cybersecurity and Infrastructure Security Agency (CISA) declined to comment directly, they redirected inquiries to ASUS.
Cisco, for its part, announced that it will not issue a fix for the CVE-2023-20118 vulnerability in its devices but has released guidelines to help network administrators disable the vulnerable features manually.
Security experts advise users to immediately update their router firmware, disable unnecessary remote access services like SSH, and monitor their network traffic for anomalies. With the compromised ASUS Routers devices potentially serving as the foundation for a global botnet, cybersecurity authorities are urging both consumers and IT professionals to take proactive measures against the growing threat.
