CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Critical Authentication Bypass Flaws in ASUS DSL and AiCloud Routers

First reported
Last updated
1 unique sources, 2 articles

Summary

Hide ▲

ASUS has released firmware updates to patch multiple critical authentication bypass vulnerabilities, including CVE-2025-59367 and CVE-2025-59366, affecting various DSL and AiCloud-enabled routers. The flaws allow remote, unauthenticated attackers to gain unauthorized access to unpatched devices exposed online. Affected models include DSL-AC51, DSL-N16, DSL-AC750, and other AiCloud-enabled routers. Users are advised to update to the latest firmware version and implement additional security measures to mitigate potential attacks.

Timeline

  1. 26.11.2025 13:41 1 articles · 23h ago

    ASUS Releases Firmware Update for Critical Authentication Bypass Flaw in AiCloud Routers

    ASUS has released new firmware to patch nine security vulnerabilities, including a critical authentication bypass flaw (CVE-2025-59366) in routers with AiCloud enabled. The flaw can be triggered by an unintended side effect of the Samba functionality, potentially leading to execution of specific functions without proper authorization. Remote attackers without privileges can exploit it by chaining a path traversal and an OS command injection weakness in low-complexity attacks that don't require user interaction. Users are advised to disable services accessible from the Internet and update their firmware immediately.

    Show sources
    Open in new tab
  2. 26.11.2025 13:41 1 articles · 23h ago

    Operation WrtHug Exploits Critical Authentication Bypass Flaw in ASUS WRT Routers

    In April, ASUS patched another critical authentication bypass flaw (CVE-2025-2492) that can be triggered by a crafted request targeting routers with AiCloud enabled. This flaw has been exploited to hijack thousands of ASUS WRT routers in a global campaign called Operation WrtHug, targeting end-of-life or outdated devices from Taiwan and across Southeast Asia, Russia, Central Europe, and the United States. SecurityScorecard researchers believe the hijacked routers may be used as operational relay boxes (ORB) in Chinese hacking operations, as stealth relay nodes for proxying and hiding command-and-control infrastructure.

    Show sources
    Open in new tab
  3. 14.11.2025 11:52 2 articles · 13d ago

    ASUS Releases Firmware Update for Critical Authentication Bypass Flaw in DSL Routers

    ASUS has released firmware version 1.1.2.3_1010 to address a critical authentication bypass vulnerability (CVE-2025-59367) in DSL-AC51, DSL-N16, and DSL-AC750 routers. The flaw allows remote, unauthenticated attackers to gain unauthorized access to unpatched devices exposed online. Users are advised to update their firmware and implement additional security measures to mitigate potential attacks.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

D-Link DIR-878 routers affected by multiple RCE vulnerabilities

D-Link has disclosed four vulnerabilities in its end-of-life DIR-878 router, including three remotely exploitable command execution flaws. The vulnerabilities affect all models and hardware revisions of the router, which is still available for purchase. D-Link has warned that it will not release security updates for this model and recommends replacing it with an actively supported product. The vulnerabilities include CVE-2025-60672 and CVE-2025-60673, which allow remote unauthenticated command execution via unsanitized parameters, and CVE-2025-60674, a stack overflow in USB storage handling. Proof-of-concept exploit code has been published by a researcher, increasing the risk of exploitation by threat actors.

Open in new tab

Critical WSUS RCE Vulnerability Exploited in the Wild

A critical remote code execution (RCE) vulnerability (CVE-2025-59287) in Windows Server Update Service (WSUS) is being actively exploited in the wild. The flaw allows attackers to run malicious code with SYSTEM privileges on Windows servers with the WSUS Server role enabled. Microsoft has released out-of-band patches for all affected Windows Server versions. Cybersecurity firms have observed exploitation attempts and the presence of publicly available proof-of-concept exploit code. The vulnerability is considered potentially wormable between WSUS servers and poses a significant risk to organizations. The flaw concerns a case of deserialization of untrusted data in WSUS. The vulnerability was discovered and reported by security researchers MEOW, f7d8c52bec79e42795cf15888b85cbad, and Markus Wulftange with CODE WHITE GmbH. CISA and NSA, along with international partners, have issued guidance to secure Microsoft Exchange Server instances, including recommendations to restrict administrative access, implement multi-factor authentication, and enforce strict transport security configurations. The agencies advise decommissioning end-of-life on-premises or hybrid Exchange servers after transitioning to Microsoft 365. Sophos reported threat actors exploiting the vulnerability to harvest sensitive data from U.S. organizations across various industries, with at least 50 victims identified. The exploitation activity was first detected on October 24, 2025, a day after Microsoft issued the update. Attackers use Base64-encoded PowerShell commands to exfiltrate data to a webhook[.]site endpoint. Michael Haag of Splunk noted an alternate attack chain involving the Microsoft Management Console binary (mmc.exe) to trigger cmd.exe execution. Recently, threat actors have been exploiting CVE-2025-59287 to distribute ShadowPad malware, a modular backdoor used by Chinese state-sponsored hacking groups. Attackers used PowerCat, certutil, and curl to obtain a system shell and download ShadowPad. The malware is launched via DLL side-loading and comes with anti-detection and persistence techniques.

Open in new tab

Critical Command Injection Vulnerabilities in TP-Link Omada Gateways

TP-Link Omada and Festa VPN routers are affected by six critical command injection vulnerabilities, including newly discovered CVE-2025-7850 and CVE-2025-7851. These flaws allow for arbitrary OS command execution and root access, potentially leading to full compromise, data theft, lateral movement, and persistence. The vulnerabilities affect multiple Omada gateway models and firmware versions. Firmware updates have been released to address these issues. TP-Link Omada gateways are full-stack solutions for small to medium businesses, including router, firewall, and VPN gateway functionalities. The flaws, CVE-2025-6542 and CVE-2025-6541, can be exploited remotely without authentication or via the web management interface. Two additional severe flaws, CVE-2025-8750 and CVE-2025-7851, can allow authenticated command injection and root access under certain conditions. The newly discovered vulnerabilities, CVE-2025-7850 and CVE-2025-7851, are due to an incomplete fix of a previous vulnerability, CVE-2024-21827, leaving residual debug code and insecure private key usage.

Open in new tab

Remote Code Execution Vulnerability in DrayTek Vigor Routers

DrayTek has disclosed a remote code execution vulnerability in several Vigor router models. The flaw, CVE-2025-10547, allows unauthenticated remote attackers to execute arbitrary code by sending crafted HTTP or HTTPS requests to the Web User Interface (WebUI). Successful exploitation can cause memory corruption and system crashes, potentially leading to remote code execution. The vulnerability affects a wide range of Vigor router models, commonly used in prosumer and SMB environments. DrayTek has released firmware updates to mitigate the risk, and administrators are advised to apply these updates immediately.

Open in new tab

TP-Link Router Vulnerabilities Actively Exploited in the Wild

Two security flaws in TP-Link routers are being actively exploited. The vulnerabilities affect multiple router models, including the TL-WR841N and Archer C7. The flaws allow for authentication bypass and remote code execution, respectively. Affected models have reached end-of-life status, and users are advised to upgrade to newer hardware. The exploits are linked to the Quad7 botnet and a China-linked threat actor, Storm-0940. Federal agencies must apply mitigations by September 24, 2025. The vulnerabilities are CVE-2023-50224 and CVE-2025-9377. TP-Link has released firmware updates to address these issues. The affected routers have reached end-of-service status, and users are advised to upgrade to newer hardware for enhanced protection.

Open in new tab