A severe vulnerability affecting over 9,000 Asus routers is being actively exploited by a sophisticated threat group, with long-term access and botnet potential sparking global cybersecurity warnings.
At a Glance
- CVE-2023-39780 is a critical command injection flaw with a severity score of 8.8
- Over 9,000 Asus routers have been compromised globally since March 2023
- The threat actor “ViciousTrap” is using the flaw to install persistent backdoors
- Attackers are enabling hidden SSH access and disabling system logs
- Asus has issued firmware patches; users must factory reset to fully remove the threat
Inside the Attack: Sophisticated Tactics at Scale
First detected by cybersecurity firm GreyNoise using AI tools, the campaign exploiting CVE-2023-39780 is both stealthy and widespread. The flaw allows attackers to execute arbitrary system commands via command injection, granting full control over targeted routers. According to TechRadar, the threat actors gain initial access via brute-force logins or authentication bypasses, then quietly install a backdoor into the router’s Non-Volatile Memory (NVRAM).
The attackers have also enabled SSH access on port 53828—well outside standard defaults—and disabled system logging to evade detection. Experts believe the operation may be laying the groundwork for a large-scale botnet or long-term espionage network.
Watch a report: Asus routers compromised in global cyber campaign.
The Group Behind the Exploits: ViciousTrap
Security researchers at Sekoia have identified the campaign as the work of a group called “ViciousTrap,” whose activities include targeting Small Office/Home Office (SOHO) routers and digital video recorders. The group has also exploited a separate vulnerability, CVE-2023-20118, affecting Cisco Small Business routers. By using these weaknesses, ViciousTrap is believed to have gained root-level access to thousands of devices.
This cross-vendor attack strategy is highly unusual and suggests an advanced actor capable of maintaining multiple persistent access points across diverse hardware platforms.
Long-Term Access and Network Risk
The real danger lies in the persistence mechanism. The NVRAM-based backdoor survives not only reboots but also most firmware updates. This allows attackers to maintain stealthy, long-term access, enabling them to:
- Intercept or monitor internet traffic
- Use infected routers as platforms for additional cyberattacks
- Coordinate devices into large-scale DDoS networks
- Scan for and infiltrate other devices on the same network
Cybersecurity experts warn that compromised routers could silently operate as part of an adversarial infrastructure for months before detection.
What You Can Do Right Now
If you own an Asus router, take immediate action to secure your network:
Step 1: Check for Compromise
- Log into your router’s admin interface
- Check if SSH is enabled, especially on port 53828
- Look for unexpected logs or network activity
Step 2: Factory Reset Required
- A firmware update alone will not remove the backdoor
- Perform a full factory reset to clear the NVRAM
- Reinstall the latest firmware update after reset
Step 3: Strengthen Security
- Disable SSH access if not needed
- Replace default credentials with a strong password
- Block known malicious IPs if supported by your router
Industry and Government Reaction
The seriousness of the campaign led GreyNoise to delay public disclosure at the request of government officials to coordinate response efforts. While CISA declined direct comment, Asus has issued firmware patches and security advisories. However, experts stress that updating firmware is not enough—resetting the device is mandatory to eliminate persistent access.
As the volume and sophistication of attacks on edge devices grow, router manufacturers are under increasing pressure to integrate robust, security-first designs. Meanwhile, end users must stay vigilant by regularly updating firmware, monitoring network behavior, and disabling unnecessary remote access features.
In an era of increasingly distributed and invisible threats, even everyday hardware like a home router can become a beachhead for advanced cyber campaigns.
