In context: Asus has taken a proactive approach in responding to a recent botnet attack, not only patching the vulnerability but also providing step-by-step guidance to help users fully remove persistent backdoors. The company acknowledged that firmware updates alone are insufficient and is recommending factory resets and strong password practices, demonstrating a level of transparency rarely seen in large-scale router security incidents.
The company's guidance follows the discovery of a widespread botnet attack that has compromised over 9,000 Asus routers globally. Known as the "AyySSHush" botnet, the campaign exploits a previously disclosed vulnerability to install a persistent backdoor, allowing attackers to retain remote access even after firmware updates or device reboots.
The attack leverages a command injection flaw, tracked as CVE-2023-39780, which was publicly disclosed in 2023. Threat actors use this vulnerability to enable SSH access on a non-standard port (TCP 53282) and insert their own public SSH key into the router's configuration. Because this modification is stored in non-volatile memory, it survives firmware updates and restarts. The attackers also disable logging and security features to evade detection, enabling long-term, stealthy control over the compromised routers.
Cybersecurity firm GreyNoise uncovered the botnet using its AI-powered monitoring platform. The firm described the threat actors as sophisticated and well-resourced, though no attribution has been made. Despite the scale of the compromise, the botnet's activity has so far been limited, with only a few dozen related requests observed over several months.
Asus has emphasized that while the vulnerability has been patched in the latest firmware updates, updating alone is not enough to eliminate the backdoor if the router is already compromised.
The company recommends a three-step process: first, update the router's firmware to the latest version; second, perform a factory reset to remove any unauthorized configurations; and third, set a strong administrator password. Asus advises using passwords that are at least 10 characters long and include a mix of uppercase and lowercase letters, numbers, and symbols.
For routers that have reached end-of-life and no longer receive firmware updates, Asus suggests installing the most recent available version, disabling all remote access features such as SSH, DDNS, AiCloud, and WAN-side web access, and ensuring that port 53282 is not exposed to the internet. Users are also encouraged to monitor router logs for repeated login failures or unfamiliar SSH keys, which could signal a previous brute-force attack.
Notably, Asus stated that it had already been developing firmware updates for the vulnerability – well before GreyNoise's public disclosure – including for models like the RT-AX55. The company also pushed notifications to affected users, urging them to update promptly after the exploit became widely known.
In addition, Asus has published updated guidance on its product security advisory page and expanded its knowledge base resources to help users mitigate ongoing risks.
Asus urges factory resets and strong passwords following botnet breach
