Over the past six months, researchers at SecurityScored’s STRIKE team have identified a new WrtHug campaign that's been scanning for compromised devices. They’ve found 50,000 unique IPs globally that appear to have been affected by the malware campaign which targets end-of-life and outdated Asus router models. It then uses six vulnerabilities to hijack them and leaves vulnerable routers open for other hackers to use them for a variety of malicious activities.
Most of the identified and affected models that have been located were found in Taiwan, followed by Southeast Asia, Russia, Central Europe and the United States. The following Asus models are the ones currently being targets in this campaign:
- • ASUS Wireless Router 4G-AC55U
- • ASUS Wireless Router 4G-AC860U
- • ASUS Wireless Router DSL-AC68U
- • ASUS Wireless Router GT-AC5300
- • ASUS Wireless Router GT-AX11000
- • ASUS Wireless Router RT-AC1200HP
- • ASUS Wireless Router RT-AC1300GPLUS
- • ASUS Wireless Router RT-AC1300UHP
The attacks begin with an exploitation of a command injection flaw as well as other known vulnerabilities. The STRIKE team believes that the compromised routers might be used as operational relay box (ORB) networks in relay nodes to hide command-and-control (C2) operations but there are no further details in their report.
Asus issued security updates to address all six vulnerabilities used in the attacks, making it critical for router owners to update their firmware in a timely manner. Devices that are old enough to no longer be covered under support, should be replaced or have their remote access features disabled. Some of the flaws currently being exploited include:
- CVE-2023-39780 which is a major command injection flaw (also used in the AyySSHush campaign).
- CVE-2024-12912 which is an arbitrary command execution flaw.
- CVE-2025-2492 which is an improper authentication control flaw with a critical severity rating which can lead to unauthorized execution of functions. It can be triggered by a crafted request on routers that have Asus' AiCloud feature enabled.
How to keep your router safe
If you own an outdated router and especially one that's reached its end-of-life and is no longer supported, it's probably best to replace it right away with one of the best Wi-Fi routers instead. This way, your router will receive frequent software updates and security patches from their manufacturer.
However, regardless of your router model you should always apply all available security patches and firmware updates as soon as possible. Likewise, you also want to use a strong and unique password with at least 16 characters to secure your home network. To make things easier, you can always use one of the best password managers to generate one for you and then securely store it. Additionally, you can disable remote administration and reboot the device as this feature is often leveraged by hackers in their attacks.
It’s also a good idea to make sure that you’re using the best antivirus software on all of your devices as many of them offer additional security features such as a VPN that can help protect your privacy when you’re online.
By using a new router with frequent security updates, you're essentially adding an extra layer of protection for all of the devices on your home network. If you want the latest and greatest Wi-Fi tech and have the budget for it, one of the best Wi-Fi 7 routers will provide you with the best overall experience. However, if you don't mind not having access to the faster 6GHz band, one of the best Wi-Fi 6 routers will still be a major upgrade.
Follow Tom's Guide on Google News and add us as a preferred source to get our up-to-date news, analysis, and reviews in your feeds.
More from Tom's Guide
- Black Friday shoppers under attack from AI-powered scams — here's how to spot them before it's too late
- 1.3 billion leaked passwords exposed online in massive new collection — what to do now and how to check your passwords
- Critical Chrome zero-day flaw fixed by Google — update your browser right now
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
