Thousands of ASUS Routers Hit by Persistent Backdoor

Persistent Attack Grants Remote SSH Access via Exploit Prajeet Nair (@prajeetspeaks) • May 29, 2025

Someone - possibly nation-state hackers - appears to be constructing a botnet from thousands of Asus routers in hacking that survives a firmware patch and reboots. Nearly 9,000 routers have been compromised and the number is growing, say researchers.

See Also: Gartner Report | Magic Quadrant for SD-WAN

Security firm GreyNoise warned Tuesday that hackers use a mix of known and previously undocumented vulnerabilities, including a command injection flaw tracked as CVE-2023-39780 to infect routers.

The tradecraft involved suggests "a well-resourced and highly capable adversary," possibly one constructing an operational relay box. ORBs are a method embraced by advanced persistent threat groups including intelligence agencies across the globe to hide nefarious activity by bouncing internet traffic through a swirl of compromised Internet of Things devices. One cybersecurity company describes them as the offspring of ...