GreyNoise stated its in-house AI device, SIFT, flagged suspicious site visitors geared toward disabling and exploiting a TrendMicro-powered safety characteristic, AiProtection, enabled by default on Asus routers.
Trojanizing the protection web
Asus’ AiProtection, developed with TrendMicro, is a built-in, enterprise-grade safety suite for its routers, providing real-time risk detection, malware blocking, and intrusion prevention utilizing cloud-based intelligence.
After gaining administrative entry on the routers, both by brute-forcing or exploiting recognized authentication bypass vulnerabilities of “login.cgi” — a web-based admin interface, the attackers exploit an authenticated command injection flaw (CVE-2023-39780) to create an empty file at /tmp/BWSQL_LOG.
Doing this prompts the BWDPI (Bidirectional Net Knowledge Packet Inspection) logging characteristic, a element of Asus’ AiProtection suite geared toward inspecting incoming and outgoing site visitors. With logging turned on, attackers can feed crafted (malicious) payloads into the router’s site visitors, as BWDPI isn’t meant to deal with arbitrary information.
On this specific case, the attackers use this to allow SSH on a non-standard port and add their very own keys, making a stealthy backdoor. “As a result of this secret is added utilizing the official Asus options, this config change is persevered throughout firmware upgrades,” GreyNoise researchers stated. “If you happen to’ve been exploited beforehand, upgrading your firmware will NOT take away the SSH backdoor.”
Whereas GreyNoise didn’t specify a selected CVE used as an authentication bypass for preliminary entry, Asus not too long ago acknowledged a essential authentication bypass vulnerability, tracked as CVE-2025-2492, affecting routers with the AiCloud characteristic enabled.
