Inside the Asus Router Botnet That Turned Defense Into a Weapon
A newly uncovered botnet is targeting Asus RT-AC3100 and RT-AC3200 routers, exploiting their AI-powered security feature, AiProtection, for persistence.
Detected by GreyNoise in March 2025, the multi-stage attack begins with brute-force attempts on “login.cgi” and older authentication bypass flaws. Once inside, attackers exploit a command injection vulnerability (CVE-2023-39780) to trigger a logging feature in AiProtection by creating /tmp/BWSQL_LOG.
This logging component, BWDPI, is abused to inject crafted payloads, enabling SSH access on a hidden port and adding the attackers’ keys — a change that persists even after firmware upgrades.
GreyNoise warns that firmware updates won’t remove the backdoor. Instead, admins must monitor TCP port 53282 and check for /tmp/BWSQL_LOG to detect compromise. Asus also acknowledged CVE-2025-2492, another critical flaw potentially linked to the botnet’s initial access path.
Changing default credentials and tracking indicators of compromise remain essential defenses.
–
Cloud hacking is surging, and a massive wave of cyber breaches is imminent. Ruthless AI-driven attacks are targeting your systems right now. Act immediately—secure your websites, servers, and networks before it’s too late using this amazing platform.
crebspark.com 