Thousands of ASUS WRT routers, mostly end-of-life or outdated devices, have been hijacked in a global campaign called Operation WrtHug that exploits six vulnerabilities.
Over the past six months, scanners looking for ASUS devices compromised in Operation WrtHug identified “roughly 50,000 unique IPs” around the globe.
Most of the compromised devices have IP addresses located in Taiwan, while others are distributed across Southeast Asia, Russia, Central Europe, and the United States.
Notably, there are no observed infections within China, which may indicate a threat actor from this country, but researchers found insufficient evidence for high-confidence attribution.
According to SecurityScorecard’s STRIKE researchers, based on targeting and attack methods, there may be a connection between Operation WrtHug and AyySSHush campaign, first documented by GreyNoise in May.
.jpg)
Source: SecurityScorecard
WrtHug attacks
The attacks begin with the exploitation of command injection flaws and other known vulnerabilities in ASUS WRT routers, mostly AC-series and AX-series devices.
According to STRIKE researchers, the WrtHug campaign may leverage the following security issues in attacks:
- CVE-2023-41345/46/47/48 – OS command injection via token modules
- CVE-2023-39780 – major command injection flaw (also used in the AyySSHush campaign)
- CVE-2024-12912 – arbitrary command execution
- CVE-2025-2492 – improper authentication control that can lead to unauthorized execution of functions
Of the vulnerabilities above, CVE-2025-2492 stands out as the only one with a critical severity score. A security advisory from ASUS in April warned about the severity of the flaw and that it could be triggered by a crafted request on routers that have the AiCloud feature enabled.
In a report today, SecurityScorecard says that “attackers seemingly leveraged the ASUS AiCloud service in this case to deploy a targeted global intrusion set.”
An indicator of compromise for this campaign is the presence of a self-signed TLS certificate in AiCloud services that replaced the standard one generated by ASUS in 99% of the breached devices. The new certificate captured attention because it has a lifetime of 100 years, compared to the original, which is valid for only 10 years.
STRIKE researchers used this unique certificate to identify 50,000 infected IPs.
Source: SecurityScorecard
Like in the AyySSHush campaign, the attackers do not upgrade the firmware of the compromised device, leaving it open to takeover by other threat actors.
Based on indicators of compromise, the researchers identified the following ASUS devices being targeted by Operation WrtHug:
• ASUS Wireless Router 4G-AC55U
• ASUS Wireless Router 4G-AC860U
• ASUS Wireless Router DSL-AC68U
• ASUS Wireless Router GT-AC5300
• ASUS Wireless Router GT-AX11000
• ASUS Wireless Router RT-AC1200HP
• ASUS Wireless Router RT-AC1300GPLUS
• ASUS Wireless Router RT-AC1300UHP
STRIKE believes that the compromised routers may be used as operational relay box (ORB) networks in Chinese hacking operations as stealth relay nodes, proxying, and hiding command-and-control infrastructure. However, the report does not delve into post-compromise operations and lacks specific details.
ASUS has issued security updates that address all of the vulnerabilities leveraged in the WrtHug attacks, so router owners should upgrade their firmware to the latest available version.
If the device is no longer under support, users are recommended to replace it or at least disable remote access features.
ASUS recently also fixed CVE-2025-59367, an authentication bypass flaw impacting several AC-series models, which, while not exploited yet, could be added to the attackers’ arsenal soon.
As MCP (Model Context Protocol) becomes the standard for connecting LLMs to tools and data, security teams are moving fast to keep these new services safe.
This free cheat sheet outlines 7 best practices you can start using today.