many Asus routers compromised Here more infos about this serious backdoor, which can only be removed with newest (patched) firmware and factory-reset, as it is written into NVRAM. https://www.greynoise.io/blog/stealthy-backdoor-campaign-affecting-asus-routers This topic was modified 11...

[Grisu]

Here more infos about this serious backdoor, which can only be removed with newest (patched) firmware and factory-reset, as it is written into NVRAM.

https://www.greynoise.io/blog/stealthy-backdoor-campaign-affecting-asus-routers

• This topic was modified 11 months ago by Grisu.
• This topic was modified 11 months ago by Grisu.

Liked by:

You need to login in order to vote

[UK Sentinel]

I have been making sure my DSL-AX82U has not been compromised over the last 6 weeks or so when I first was made aware, I have been checking weekly on the Remote SSH option in ASUSWRT UI, in particular if SSH access on port 53282 has been configured.

ASUS has released a firmware updates a while ago (not sure which models) to patch CVE-2023-39780 the command injection vulnerability exploited in this backdoor campaign.

I know these ASUS routers are impacted, but unsure which others maybe also vulnerable.

• RT-AC3100
• RT-AC3200
• RT-AX55

 

I am going to have a chat at ASUS as they keep removing older firmware versions and the associated changelog, so you cannot check which firmware’s have had what CVE’s applied/resolved.

I.e. RT-AX55 for example, released back in 2020, but oldest firmware available for reference and download is 2024/11/11 – 3.0.0.4.386_52332

 

FWIW: there is the https://nvd.nist.gov/ but for the averidge ASUS owner, well beyond their area of knowledge.

 

In a completely sane world, madness is the only freedom (J.G.Ballard).

Liked by:

You need to login in order to vote

[MultiDoc]

I have a pair of Asus BQ16’s and just updated their firmware to the latest yesterday (only released a couple days ago). Should I be blocking those specific IPs as per the article to be safe or ?

You need to login in order to vote

[UK Sentinel]

I do not believe CVE-2023-39780 is a concern for yourself, but because of the authentication bypass techniques, which may or may not be an issue with your pair of Asus BQ16’s, It would be wise if you did block the Port and IP addresses.

 

 

In a completely sane world, madness is the only freedom (J.G.Ballard).

Liked by:

You need to login in order to vote

[MultiDoc]

Thanks for the response. Do you mind telling me if I’ve done it correctly please ? (see attached screenshot)

 

 

Attachments:

1. 

   Screenshot-2025-05-30-155349.png
   

You need to login in order to vote

[UK Sentinel]

Looks good, I assume you are not using IPv6 and under Firewall > General, the Enable Firewall radial button is Selected.

Just be mindful, ASUS routers (Network Services Filter) blocks LAN to WAN packet exchanges and by default ASUS routers block all connections from WAN to LAN.

That’s why part of the objective of this compromise is to enable Remote SSH on port 53282 and the above ruleset stops any traffic leaving via the WAN.

If you are still concerned, try  GRC SHIELDSUP (https://www.grc.com) test on the router to see if all ports are in Stealth mode and then try the specific port 53282 just to make sure you are still safe and not compromised in any way.

 

For Clarity:

CVE-2023-39780 requires authentication for exploitation. This means an attacker must first gain access to the router—either by logging in with valid credentials or bypassing authentication through other vulnerabilities—before they can exploit this flaw.

https://nvd.nist.gov/vuln/detail/CVE-2023-39780

In a completely sane world, madness is the only freedom (J.G.Ballard).

You need to login in order to vote

[UK Sentinel]

News!

Asus responds to concerns over 9,000+ routers compromised by botnet

In a completely sane world, madness is the only freedom (J.G.Ballard).

You need to login in order to vote

[UK Sentinel]

Seems a few more ASUS router models have now been added to the AyySSHush compromised list and compromises are mostly geolocated in the U.S., Sweden, Taiwan, Singapore, and Hong Kong.

 

https://censys.com/blog/tracking-ayysshush-a-newly-discovered-asus-router-botnet-campaign

In a completely sane world, madness is the only freedom (J.G.Ballard).

You need to login in order to vote

[Grisu]

For me it seems to target even all Asus routers (at least with same level of firmware), but they are showing only the top 10 listed.

• This reply was modified 10 months, 2 weeks ago by Grisu.

You need to login in order to vote

[UK Sentinel]

. Grisu Said:

For me it seems to target even all Asus routers (at least with same level of firmware), but they are showing only the top 10 listed.

I agree, even the DSL-AX82U is on the lower list

A tricky scenario as ASUS owners need to stop them gaining access to the router and then limit what the threat actor / bot can do once they are inside the router.

In a completely sane world, madness is the only freedom (J.G.Ballard).

You need to login in order to vote

[Author]

Posts