ASUS WRT routers legacy AiCloud/OS injection flaws (multiple vulnerabilities)
Vulnerability
Summary
Hide ▲
Show ▼
ASUS WRT routers and ASUS AiCloud are facing active exploitation of six legacy vulnerabilities, creating elevated-privilege and persistence risk for end-of-life SOHO devices. The affected flaw set includes CVE-2023-41345, CVE-2023-41346, CVE-2023-41347, CVE-2023-41348, CVE-2024-12912, and CVE-2025-2492. Researchers say the abuse has already reached thousands of routers worldwide.
Related Happenings
ASUS AiCloud routers critical authentication bypass (CVE-2025-59366)
Vulnerability
First: 26.11.2025 13:41
Last: 26.11.2025 13:41
Sources 1
About this happening:
**CVE-2025-59366** is a **critical authentication bypass** in **ASUS AiCloud-enabled routers** that can let remote, unauthenticated attackers execute functions without proper auth...
ASUS AiCloud routers critical authentication bypass (CVE-2025-59366)
VulnerabilityAbout this happening: **CVE-2025-59366** is a **critical authentication bypass** in **ASUS AiCloud-enabled routers** that can let remote, unauthenticated attackers execute functions without proper auth...
Unattributed operators campaign expands across multiple victims
Campaign
First: 19.11.2025 16:35
Last: 19.11.2025 16:35
Sources 1
How related:
Thousands of ASUS WRT routers, mostly end-of-life or outdated devices, have been hijacked in a global campaign called Operation WrtHug that exploits six vulnerabilities.
About this happening:
The **Operation WrtHug** campaign is hijacking **ASUS WRT routers** worldwide by exploiting **six vulnerabilities** and abusing **AiCloud**, creating a large pool of compromised d...
Unattributed operators campaign expands across multiple victims
CampaignHow related: Thousands of ASUS WRT routers, mostly end-of-life or outdated devices, have been hijacked in a global campaign called Operation WrtHug that exploits six vulnerabilities.
About this happening: The **Operation WrtHug** campaign is hijacking **ASUS WRT routers** worldwide by exploiting **six vulnerabilities** and abusing **AiCloud**, creating a large pool of compromised d...
China-linked threat campaign campaign expands across multiple victims
Campaign
First: 19.11.2025 12:20
Last: 19.11.2025 12:20
Sources 1
How related:
The router hijacking activity has been codenamed Operation WrtHug by SecurityScorecard's STRIKE team.
About this happening:
A **China-linked** operation called **Operation WrtHug** has compromised **thousands of ASUS WRT routers** worldwide, creating an espionage network with potential relay and stagin...
China-linked threat campaign campaign expands across multiple victims
CampaignHow related: The router hijacking activity has been codenamed Operation WrtHug by SecurityScorecard's STRIKE team.
About this happening: A **China-linked** operation called **Operation WrtHug** has compromised **thousands of ASUS WRT routers** worldwide, creating an espionage network with potential relay and stagin...
PolarEdge botnet activity targeting Cisco, ASUS, QNAP, and Synology routers
Malware Activity
First: 21.10.2025 16:47
Last: 21.10.2025 16:47
Sources 1
About this happening:
**PolarEdge** is a **botnet malware** operation whose updated analysis shows how infected **Cisco, ASUS, QNAP, and Synology routers** can be turned into remote-control footholds....
PolarEdge botnet activity targeting Cisco, ASUS, QNAP, and Synology routers
Malware ActivityAbout this happening: **PolarEdge** is a **botnet malware** operation whose updated analysis shows how infected **Cisco, ASUS, QNAP, and Synology routers** can be turned into remote-control footholds....
RondoDox multivector loader-as-a-service campaign
Campaign
First: 13.10.2025 13:12
Last: 13.10.2025 13:12
Sources 1
About this happening:
The **RondoDox** botnet campaign has expanded into **multivector exploitation** and **loader-as-a-service** distribution, widening risk to **internet-exposed infrastructure** acro...
RondoDox multivector loader-as-a-service campaign
CampaignAbout this happening: The **RondoDox** botnet campaign has expanded into **multivector exploitation** and **loader-as-a-service** distribution, widening risk to **internet-exposed infrastructure** acro...
Timeline
-
19.11.2025 12:20 2 articles · 6mo ago
SecurityScorecard warns of WrtHug router compromise
Initial DisclosureSecurityScorecard warned that Operation WrtHug has compromised thousands of ASUS WRT routers worldwide and assessed the activity as a China-linked espionage campaign targeting end-of-life ASUS SOHO devices. The campaign abuses CVE-2023-41345, CVE-2023-41346, CVE-2023-41347, CVE-2023-41348, CVE-2024-12912, and CVE-2025-2492 to exploit ASUS AiCloud service and OS injection vulnerabilities, gain elevated privileges, and maintain persistence, while most infected devices also share the same self-signed TLS certificate and up to 50% of victims are in Taiwan. SecurityScorecard also noted overlap with AyySSHush and said the pattern resembles Chinese ORB and botnet operations.
Show sources
- China-Linked Operation “WrtHug” Hijacks Thousands of ASUS Routers — www.infosecurity-magazine.com — 19.11.2025 12:20
- New WrtHug campaign hijacks thousands of end-of-life ASUS routers — www.bleepingcomputer.com — 19.11.2025 16:35