ASUS Router Backdoor (CVE-2023-39780)

Lbio on 29/05/2025 - 16:19
Last edited 30/05/2025 - 11:06 by 1 other user

A widespread security issue has been discovered affecting thousands of Asus routers. Attackers have gained remote access through a hidden backdoor, potentially creating a network of compromised devices for future malicious use.

To check if your router is affected, open its web interface and verify if SSH access is enabled. Look specifically for a public SSH key beginning with ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAo41nBoVFfj4HlVMGV+YPsxMDrMlbdDZ...

If this key is present, your router is compromised. Simply updating the firmware will not fix the issue. You should manually disable SSH access immediately.

https://www.greynoise.io/blog/stealthy-backdoor-campaign-aff…

‍ GreyNoise has identified an ongoing exploitation campaign in which attackers have gained unauthorized, persistent access to thousands of ASUS routers exposed to the internet. This appears to be part of a stealth operation to assemble a distributed network of backdoor devices — potentially laying the groundwork for a future botnet.

Update: 30 May 2025.

If your router has been accessed, the best thing you can do is a factory reset, advises PCMag security analyst Kim Key. This attack is a formidable one, GreyNoise says, because it "survives both reboots and firmware updates, giving them durable control over affected devices." A factory reset will get around this. In most other cases, updating the firmware would've solved the problem.

Asus also recommends you remove or disable the SSH entry and block the following four IP addresses, according to ZDNet:

101.99.91.151
101.99.94.173
79.141.163.179
111.90.146.237

If your router was not accessed, update the firmware to prevent any future issues. Asus fixed the CVE-2023-39780 flaw with its latest firmware update.

https://au.pcmag.com/wireless-routers/111311/cybercriminals-…

Computing ASUS Wireless Router

Comments

  • stuffandthat on 29/05/2025 - 16:25
    -3

    hehe backdoor

  • kogi on 29/05/2025 - 16:39

    what the? 2023 cve still unpatched?

    • bio on 29/05/2025 - 17:06
      +1

      It has been already patched, but there are routers that are still running the old firmware.

  • scrimshaw on 29/05/2025 - 16:45
    +6

    The SSH setting is found in the Administration tab of your router config page.

    In my case (Merlin FW) SSH is disabled by default. The setting for Remote Access Config -> Enable Web Access from WAN is also set to No by default (as it should be).

  • Torquecox on 29/05/2025 - 17:00

    Currently using 2 Asus routers the main one from Optus when they still had it available Asus DSL AX82U AX5400 and aimesh node router RT-AC59U V2.

    The AX82u doesnt even have ssh available as an option to select. Hate how Optus has disabled the option to use different firmware like Merlin.

    Should i be fine with my aimesh node since it not the main router?

    • scrimshaw on 29/05/2025 - 17:30

      There are ways to unlock the Optus AX5400 router and convert it to the stock state.
      It's discussed on WP

      https://forums.whirlpool.net.au/thread/32k1vyn9?p=16#r709441…

      • Torquecox on 29/05/2025 - 17:36

        Cheers for that, i just unhidden my ssh stuff and it seems everything is turned off so i should be safe from this backdoor?

        Can they backdoor into my 2nd mesh router is that a thing I should be worried about?

        • scrimshaw on 29/05/2025 - 17:39

          Can they backdoor into my 2nd mesh router is that a thing I should be worried about?

          If the child node (Ai Mesh) has SSH turned on, yes it can be accessed.

          • Torquecox on 29/05/2025 - 17:44

            @scrimshaw: Just tried to login to my aimesh router, only shows up with servers center and media server as options.

            • Torquecox on 29/05/2025 - 17:55

              @Torquecox: Doing some light research, found out that the aimesh is controlled by the options of the main router so it seems like it is off. Even tried to ssh into both the routers but got denied.

  • gfunk zero on 29/05/2025 - 20:03

    I've got Merlin firmware, ssh is set to LAN only on default port 22 so i think Merlin users are safe?

    • skid on 30/05/2025 - 12:38
      +2

      Even on Merlin firmware, things to check for are:
      AICloud should not be enabled
      AIDisk should not be enabled
      Enable web access from WAN is No
      Enable SSH is LAN only or No
      /home/root/.ssh/authorized_keys file does not contain the key in the OP
      Administration > Authorized Keys does not contain the SSH key

  • pegaxs on 29/05/2025 - 22:19
    +1

    Cheers. Checked mine and all of these functions were already turned off. SSH off, no key present. Remote access from WAN is off.

  • Typical16-bitEnjoyer on 30/05/2025 - 12:44

    Both my Asus routers are SSH off by default. Sounds like an issue for old routers.

    • bio on 30/05/2025 - 13:51

      The default value is irrelevant. The attacker remotely turns it on if your firmware is not up-to-date and your router is vulnerable to CVE-2023-39780 (and several other vulnerabilities without CVEs).

      • Typical16-bitEnjoyer on 30/05/2025 - 14:43
        +1

        Source?
        I can't find that in the report.

        • bio on 30/05/2025 - 14:46

          Which report? If it's the one I posted (https://www.greynoise.io/blog/stealthy-backdoor-campaign-aff…) then it's literally in the summary section:

          • Attackers gain access using brute-force login attempts and authentication bypasses, including techniques not assigned CVEs.
          • Attackers exploit CVE-2023-39780, a command injection flaw, to execute system commands.
          • They use legitimate ASUS features to:
            • Enable SSH access on a custom port (TCP/53282).
            • Insert attacker-controlled public key for remote access.
          • gfunk zero on 01/06/2025 - 19:30
            +1

            @bio: How can they login if SSH is off?

            • Maneki Angel Fund on 05/06/2025 - 11:33
              -2

              @gfunk zero: Drive-by 0-day browser exploit? I got hit with one recently on the computer I use to browse the web (e.g. ozbargain, anime sites, crypto sites) with just recently. Chrome apparently patched it a few days ago.

              I keep separate computers for all my activities. These days with refurbs being so cheap, you should at least have one computer for banking, and one for browsing.

              • gfunk zero on 09/06/2025 - 12:50

                @Maneki Angel Fund: Sounds excessive, I dual boot Linux and windows, also I recon most browser viruses dont impact Linux but not 100% on that

                • Maneki Angel Fund on 11/06/2025 - 13:37
                  +1

                  @gfunk zero: It is not excessive, plus not sure what the downvotes are when people should be taking better care of their funds.

                  I guess that is why people randomly get 0day-ed and lose all their funds.

                  I got hit with a 0day, twice, but didn't lose anything because of the way I managed it.

                  But yeah, the attack vector is definitely through a 0day, otherwise how else would they be able to open the SSH ports. I was just describing the attack vector, not whether it was likely to happen.

                  What happened with me was they managed to get into my tradingview account, that is all I can confirm because I noticed I was logged out of tradingview randomly. I have described in more detail the incident in another thread when I was replying to someone else, but these are very real risks.

                  The ad was some html code injected through googleadservices, that is all I could isolate it to because it affected Youtube.

                  With Linux it is easier to analyse what is running, but on Windows, good luck. lol. It doesn't mean Linux is 100% safe because the same type of 0days still exist, and in fact it is more profitable to infect Linux servers for the purposes of mining Monero and other CPU coins due to the increased efficiency.

                • Maneki Angel Fund on 11/06/2025 - 21:49
                  +1

                  @gfunk zero: I forgot to elaborate on your comments, so I decided to come back and mention a few caveats.

                  Generally malware still has the possibility of mounting your linux or windows drive. It is trivial to find a driver to mount ntfs or ext4. I would not be surprised if malware does not already search for all files on the system to find chrome instances and to extract the passwords. For me, I was running a Chrome Portable instance and it still took my credentials.

                  Unless you are using encryption on the partitions then it really isn't that safe. Furthermore, if you get malware it might just decide to destroy your files regardless, so partitioning is fairly useless since the malware can just mount the other partitions. For myself I prefer the physical separation I get from unplugging drives from their sata ports, but you should know there are limited insertion cycles before the sata connector can break. This is why I recommend to use separate PCs - I only mentioned refurbs since they are cheap but you also need to do a reflash of the bios if you are going down that route and ensure you are using GPT not MBR, a lot of other small things can get into the way if you understand the limitations of those used products - A few years back there were major issues with bootkits being reinstalled upon full reformat because they just re-infected the MBR which would load before the windows installation took place.

                  The other problem is some people just forget to unplug their drives and both become available to the malware which basically leaves you vulnerable, not only in the sense you lose passwords, but you lose physical data.

                  I would recommend a livecd route for those on a budget, and possibly just using two separate removeable ssds/hdds if you are dual booting since for the average user it is probably more difficult for them to find encryption solutions. Myself, I don't generally encrypt because if there is bitrot or other data loss, recovery becomes almost impossible which can be very problematic when some people can have important data you cannot afford to lose which is in a live system, e.g. data which you cannot really backup on the fly. Hard to explain, but think hot wallets, but something more important; although that is probably a bad example

                  Furthermore, crypto really is a widely held product, and even though the statistics show wide adoption, there is a general negative trend on OzBargain against holding it. I have seen schoolgirls that are only aged 12 and doing rugpulls earning themselves 5 figures easily. I saw a young man aged 14 on Youtube live streaming his trades on Phemex playing with $100,000 accounts and using leverage with no KYC. You have all probably seen the fat young kid that was 10 years old who rug pulled $10k and became a meme.

Login or Join to leave a comment
Login Join