ASUS Router Backdoor (CVE-2023-39780)

Lbio on 29/05/2025 - 16:19
Last edited 30/05/2025 - 11:06 by 1 other user

A widespread security issue has been discovered affecting thousands of Asus routers. Attackers have gained remote access through a hidden backdoor, potentially creating a network of compromised devices for future malicious use.

To check if your router is affected, open its web interface and verify if SSH access is enabled. Look specifically for a public SSH key beginning with ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAo41nBoVFfj4HlVMGV+YPsxMDrMlbdDZ...

If this key is present, your router is compromised. Simply updating the firmware will not fix the issue. You should manually disable SSH access immediately.

https://www.greynoise.io/blog/stealthy-backdoor-campaign-aff…

‍ GreyNoise has identified an ongoing exploitation campaign in which attackers have gained unauthorized, persistent access to thousands of ASUS routers exposed to the internet. This appears to be part of a stealth operation to assemble a distributed network of backdoor devices — potentially laying the groundwork for a future botnet.

Update: 30 May 2025.

If your router has been accessed, the best thing you can do is a factory reset, advises PCMag security analyst Kim Key. This attack is a formidable one, GreyNoise says, because it "survives both reboots and firmware updates, giving them durable control over affected devices." A factory reset will get around this. In most other cases, updating the firmware would've solved the problem.

Asus also recommends you remove or disable the SSH entry and block the following four IP addresses, according to ZDNet:

101.99.91.151
101.99.94.173
79.141.163.179
111.90.146.237

If your router was not accessed, update the firmware to prevent any future issues. Asus fixed the CVE-2023-39780 flaw with its latest firmware update.

https://au.pcmag.com/wireless-routers/111311/cybercriminals-…

Computing ASUS Wireless Router

Comments

  • stuffandthat on 29/05/2025 - 16:25
    -3

    hehe backdoor

  • kogi on 29/05/2025 - 16:39

    what the? 2023 cve still unpatched?

    • bio on 29/05/2025 - 17:06
      +1

      It has been already patched, but there are routers that are still running the old firmware.

  • scrimshaw on 29/05/2025 - 16:45
    +5

    The SSH setting is found in the Administration tab of your router config page.

    In my case (Merlin FW) SSH is disabled by default. The setting for Remote Access Config -> Enable Web Access from WAN is also set to No by default (as it should be).

  • Torquecox on 29/05/2025 - 17:00

    Currently using 2 Asus routers the main one from Optus when they still had it available Asus DSL AX82U AX5400 and aimesh node router RT-AC59U V2.

    The AX82u doesnt even have ssh available as an option to select. Hate how Optus has disabled the option to use different firmware like Merlin.

    Should i be fine with my aimesh node since it not the main router?

    • scrimshaw on 29/05/2025 - 17:30

      There are ways to unlock the Optus AX5400 router and convert it to the stock state.
      It's discussed on WP

      https://forums.whirlpool.net.au/thread/32k1vyn9?p=16#r709441…

      • Torquecox on 29/05/2025 - 17:36

        Cheers for that, i just unhidden my ssh stuff and it seems everything is turned off so i should be safe from this backdoor?

        Can they backdoor into my 2nd mesh router is that a thing I should be worried about?

        • scrimshaw on 29/05/2025 - 17:39

          Can they backdoor into my 2nd mesh router is that a thing I should be worried about?

          If the child node (Ai Mesh) has SSH turned on, yes it can be accessed.

          • Torquecox on 29/05/2025 - 17:44

            @scrimshaw: Just tried to login to my aimesh router, only shows up with servers center and media server as options.

            • Torquecox on 29/05/2025 - 17:55

              @Torquecox: Doing some light research, found out that the aimesh is controlled by the options of the main router so it seems like it is off. Even tried to ssh into both the routers but got denied.

  • gfunk zero on 29/05/2025 - 20:03

    I've got Merlin firmware, ssh is set to LAN only on default port 22 so i think Merlin users are safe?

    • skid on 30/05/2025 - 12:38
      +1

      Even on Merlin firmware, things to check for are:
      AICloud should not be enabled
      AIDisk should not be enabled
      Enable web access from WAN is No
      Enable SSH is LAN only or No
      /home/root/.ssh/authorized_keys file does not contain the key in the OP
      Administration > Authorized Keys does not contain the SSH key

  • pegaxs on 29/05/2025 - 22:19
    +1

    Cheers. Checked mine and all of these functions were already turned off. SSH off, no key present. Remote access from WAN is off.

  • Typical16-bitEnjoyer on 30/05/2025 - 12:44

    Both my Asus routers are SSH off by default. Sounds like an issue for old routers.

    • bio on 30/05/2025 - 13:51

      The default value is irrelevant. The attacker remotely turns it on if your firmware is not up-to-date and your router is vulnerable to CVE-2023-39780 (and several other vulnerabilities without CVEs).

      • Typical16-bitEnjoyer on 30/05/2025 - 14:43
        +1

        Source?
        I can't find that in the report.

        • bio on 30/05/2025 - 14:46

          Which report? If it's the one I posted (https://www.greynoise.io/blog/stealthy-backdoor-campaign-aff…) then it's literally in the summary section:

          • Attackers gain access using brute-force login attempts and authentication bypasses, including techniques not assigned CVEs.
          • Attackers exploit CVE-2023-39780, a command injection flaw, to execute system commands.
          • They use legitimate ASUS features to:
            • Enable SSH access on a custom port (TCP/53282).
            • Insert attacker-controlled public key for remote access.
          • gfunk zero on 01/06/2025 - 19:30
            +1

            @bio: How can they login if SSH is off?

            • Maneki Angel Fund on 05/06/2025 - 11:33
              -1

              @gfunk zero: Drive-by 0-day browser exploit? I got hit with one recently on the computer I use to browse the web (e.g. ozbargain, anime sites, crypto sites) with just recently. Chrome apparently patched it a few days ago.

              I keep separate computers for all my activities. These days with refurbs being so cheap, you should at least have one computer for banking, and one for browsing.

Login or Join to leave a comment
Login Join