Attackers exploited a vulnerability to gain access to the routers. They turned them into a botnet.
Security researchers have discovered a large-scale botnet of at least 9,000 Asus routers. According to GreyNoise, it is an attack “by a well-funded and highly technological actor”, presumably of state origin.
Permanently Infected
The attackers are exploiting a “command injection” vulnerability to gain access to the routers, writes PCWorld. Popular models such as the RT-AC3100, RT-AC3200, and RT-AX55 are affected. Once infected, the routers remain compromised, even after rebooting or firmware updates, because the malicious settings are stored in non-volatile memory.
Recovery Requires Factory Reset
The only way to remove the infection is to reset the router to factory settings. Simply updating the firmware is not enough as the malware survives this intervention. Users must completely reset their router and manually reconfigure it.
Patch Available since may 27
Asus has released a firmware update that prevents new infections. Those who have not yet been affected are advised to install the patch from May 27, 2025, or later as soon as possible. Those already infected must both install the update and perform a reset.
Malicious actors gain entry through port TCP/53282 and via specific IP addresses. Now that these have been made public, attackers may switch to other means. Proactive action is therefore necessary.