ASUS Routers Hit By Stealthy Backdoor Botnet Attack That Evades Firmware Upgrades

Heads up if you have an Asus router in your home or office, as there's a backdoor exploit doing the rounds affecting 9,000 devices and counting. This event came to light by way of the security firm GreyNoise and its Sift AI tool that spotted some odd-looking traffic and flagged it for a closer look.

The page describing the exploit doesn't mention specific ASUS router models, we're guessing because the initial means to install the backdoor is to gain access to the router by using commonly used brute-force login attempts and authentication bypasses. Once the attackers have gained a measure of access, they exploit CVE-2023-39780 to be able to run system commands, and then proceed to disable logging and configure a remote access service (SSH) on port 53282, with their own key.


This latter configuration is done using the standard configuration tools present in most any router, and no actual malware is installed on the device. That means the remote backdoor remains active even if you reboot the router, or even if you update the firmware. To see if your router is affected, try connecting to SSH on port 53282; if you get a connection, you know it's hacked.

To permanently get rid of this access, you can disable the respective SSH configuration, or perform a full factory reset, at the cost of having to reconfigure the router again. GreyNoise discovered the exploit on March 18 and after responsible disclosure to ASUS and relevant government entities, has now posted the full details. Out of an excess of caution, you'll want to monitor your network for traffic from IPs 101.99.91.151, 101.99.94.173, 79.141.163.179, and 111.90.146.237.