Security Intelligence
Loading table of contents...
Loading table of contents...
In early 2025, cybersecurity researchers uncovered a stealthy campaign compromising over 9,000 ASUS routers. Dubbed "AyySSHush," this operation targets specific ASUS models, including RT-AC3100, RT-AC3200, and RT-AX55, by exploiting a known command injection vulnerability, designated CVE-2023-39780, alongside other authentication bypass techniques.
Once inside, the threat actors established persistent access by enabling SSH on a non-standard port (TCP/53282) and inserting their own SSH public key into the router's configuration. The changes were stored in the router's non-volatile memory (NVRAM), allowing the backdoor to survive firmware updates and reboots. To maintain stealth and avoid detection, the threat actors disabled logging and avoided deploying malware.
Stay on top of emerging threats.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
While no specific threat actor has been definitively linked to AyySSHush, the tactics employed bear resemblance to those used by advanced persistent threat (APT) groups. The use of legitimate system features for malicious purposes and the emphasis on stealth and persistence indicate a strategic approach, possibly laying the groundwork for a larger botnet or other malicious infrastructure
ASUS has released firmware updates addressing CVE-2023-39780; however, these updates do not remove the persistent SSH backdoor if the router was compromised prior to the update.
Source: Bleeping Computer
Analysis
The AyySSHush campaign reflects a growing trend of threat actors targeting consumer and enterprise-grade networking devices for stealthy, persistent access. This campaign is notable not only for its sophistication—leveraging NVRAM storage to maintain backdoor access even after firmware updates—but also for its timing and context. It follows several other ASUS-related security incidents in 2025, including critical vulnerabilities in the ASUS DriverHub software that exposed users to remote code execution via manipulated .ini files and forged HTTP requests. These back-to-back compromises suggest that ASUS’s expanding ecosystem of interconnected hardware and software products is becoming an increasingly attractive attack surface.
ASUS routers, in particular, are popular among both home users and small businesses due to their wide availability, powerful hardware, and customizable firmware. This popularity gives threat actors a large potential footprint and a high return on investment when launching large-scale operations like botnet creation or espionage staging. The use of common but often unpatched vulnerabilities—such as CVE-2023-39780 in this case—demonstrates how threat actors can exploit lax update hygiene among end users to quietly hijack infrastructure without deploying traditional malware. By leveraging legitimate system functions like SSH and carefully avoiding detection, threat actors ensure long-term access with minimal noise.
Until device manufacturers prioritize secure defaults, timely patching, and stronger authentication mechanisms—particularly for internet-facing services—threat actors will continue to find success in exploiting consumer and small business networking equipment.
Mitigation
Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities in hardware like ASUS routers. Field Effect MDR users are automatically notified if vulnerable hardware is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Field Effect strongly advises impacted users to install the necessary patches as soon as possible. Impacted users should also check for unauthorized SSH access, particularly on port 53282, and to inspect the authorized_keys file for unfamiliar entries. If compromise is suspected, performing a full factory reset and manually reconfiguring the router is recommended to eliminate the backdoor.
