Overview
- SecurityScorecard's STRIKE team reported roughly 50,000 compromised ASUS WRT devices over six months, identified by an identical long-lived TLS certificate on AiCloud services.
- Attackers leverage six known flaws — CVE-2023-41345/41346/41347/41348, CVE-2024-12912, and CVE-2025-2492 — to gain elevated privileges and persistence on end-of-life routers.
- Compromises are concentrated in Taiwan and Southeast Asia, with smaller clusters in the United States, Russia, and Central Europe and none observed in mainland China outside Hong Kong.
- ASUS has released firmware updates addressing the exploited vulnerabilities, and owners of unsupported models are urged to replace devices or disable remote access features.
- Analysts assess low-to-moderate confidence of a China-affiliated ORB facilitation effort, noting only seven overlapping IPs with the earlier AyySSHush campaign and that attackers do not update device firmware.