Thousands of Asus routers have been compromised due to a newly discovered botnet called ‘AyySSHush.’ The stealth attack was detected in March 2025 by cybersecurity firm GreyNoise, which reportedly exploits authentication and makes use of the router features to maintain long-term access. Notably, the backdoor does not make use of any malware, and the unauthorized access cannot be removed using firmware updates.
The attack begins with threat actors targeting the routers through brute-force login attempts and exploiting authentication bypass techniques, some of which remain undocumented without assigned CVEs. Once inside, they target and exploit CVE-2023-39780, a known command injection vulnerability, to execute arbitrary system-level commands. This technique allows the attackers to manipulate the router’s configuration using legitimate functions within the firmware.
The attackers use official Asus router features to gain persistent access. They also gain the ability to enable SSH on a non-standard port (TCP 53282) and install their own public SSH key, enabling remote administrative control. Since the backdoor is written to the router’s non-volatile memory (NVRAM), it can survive both firmware updates and device reboots. Additionally, by disabling system logging and the router’s AiProtection security features, the attackers ensure that they cannot be detected.
According to GreyNoise’s report, the techniques used by the attackers suggest thorough planning for long-term access and demonstrate a deep knowledge of the system’s architecture. Over 9,000 Asus routers have been confirmed as compromised, according to data from Censys, a platform that monitors and maps internet-facing devices globally. Censys identifies devices that are exposed to the internet, while GreyNoise detects which of those devices are being actively targeted or exploited. This offers a clearer picture of both the scale and stealth of the ongoing campaign.
The discovery of the exploit was made using GreyNoise’s AI-powered analysis tool called 'Sift.' It flagged just three HTTP POST requests targeting Asus router endpoints for deeper inspection, which were then observed using emulated Asus profiles running factory firmware. Surprisingly, Sift detected only 30 malicious requests over a period of three months, despite compromising thousands of devices.
Asus has released a new firmware update addressing CVE-2023-39780, as well as the initial undocumented login bypass techniques. However, the update is more or less a preventive measure. Any router that has been exploited previously, upgrading the firmware is not going to remove the SSH backdoor. This is because the malicious configuration changes are stored in non-volatile memory and are not overwritten during standard firmware upgrades.
To ensure routers are fully secured, users are advised to take additional manual steps, including checking for active SSH access on TCP port 53282, reviewing the authorized_keys file for unfamiliar entries, and blocking the known malicious IP addresses that may be associated with the campaign. If a device is suspected to be compromised, it is best to perform a full factory reset and then reconfigure the router from the beginning.
Follow Tom's Hardware on Google News to get our up-to-date news, analysis, and reviews in your feeds. Make sure to click the Follow button.
