At a glance: ASUS has issued multiple critical security advisories affecting AiCloud-enabled routers, DSL router families, MyASUS, and Armoury Crate software. Field Effect MDR detects vulnerable software and alerts users to associated risks, helping organizations respond quickly and reduce exposure.
Between November 14 and 26, 2025, ASUS published a series of security advisories addressing multiple critical vulnerabilities across its router firmware and supporting software.
The vulnerabilities affect widely deployed technologies including:
Many of the vulnerabilities carry high or critical CVSS scores, and some have already been linked to active exploitation campaigns targeting outdated devices.
Nine medium- to critical-severity vulnerabilities were discovered in routers running AiCloud—a cloud-based remote access feature that transforms routers into private cloud servers for media streaming and file storage.
The most severe flaw in this category is CVE-2025-59366, a critical vulnerability with a CVSS score of 9.8 stemming from Samba functionality. By chaining path traversal and OS command injection flaws, attackers can remotely execute functions without authentication.
On November 6, 2025, ASUS disclosed CVE-2025-9338, a vulnerability in the Armoury Crate AsIO3.sys driver. Exploitation requires a user to manually execute a crafted process and can lead to local privilege escalation.
On November 14, ASUS released firmware version 1.1.2.3_1010 to remediate CVE-2025-59367, a critical flaw affecting several DSL router models, including:
This flaw enables unauthenticated remote access to device interfaces and is rated CVSS 9.8.
On November 26, 2025, ASUS patched CVE-2025-59373, a local privilege escalation vulnerability in the ASUS System Control Interface used by MyASUS. The flaw allows low-privileged users to escalate to SYSTEM by abusing a restore mechanism. It is rated CVSS 8.5.
On November 19, 2025, public reporting detailed the WrtHug campaign, which hijacked large numbers of legacy ASUS WRT-series routers running outdated firmware and AiCloud-related features.
These routers provide wireless routing, network address translation, and remote-access services such as AiCloud, Secure Shell, Dynamic Domain Name System, and web administration from the wide area network. Many affected devices are end-of-life and no longer receive security updates, significantly increasing their exposure.
The campaign leverages previously disclosed authentication and command execution flaws to enable arbitrary command execution and full device control. Impact includes conversion of routers into proxy infrastructure for persistence, anonymization of malicious traffic, and potential espionage. Worst-case scenarios involve full compromise of network traffic and use of the router as a foothold for further intrusion.
Exploitation complexity is low to moderate due to widespread outdated firmware and reliance on known vulnerabilities.
Mitigation measures include applying the latest ASUS firmware updates released in November 2025. For routers that no longer receive support, replacing them with supported hardware is the most effective way to reduce exposure.
Organizations should disable AiCloud if it is not required, monitor router traffic for suspicious activity, and ensure endpoints running MyASUS are fully patched. Network segmentation and log monitoring can further reduce the risk of lateral movement. When patching cannot occur immediately, restricting remote access to router interfaces and disabling unused services are recommended interim steps.
Field Effect continuously monitors the cyber threat landscape for newly identified vulnerabilities. Field Effect MDR users are automatically alerted when vulnerable software is detected in their environment and are encouraged to review these AROs as soon as possible via the portal.
We strongly advise impacted users to install all required ASUS patches promptly, following the guidance provided in ASUS’s official advisory.