Looks like an ASUS router vulnerability that was identified in May 2025 has been showing activity again
"Around 50,000 ASUS routers have been compromised in a sophisticated attack..."
- Thread starter SpacemanSpiff
- Start date
For some reason I find it surprising that 50,000 people thought it was a good idea to turn on remote access to their routers. You don't want to do that even with Opnsense or Unifi. Unifi's cloud management scares me too -- yet many businesses use it even though you'd think they would know better.
I'm surprised it's not MORE than 50k....
The average homeowner has ZERO knowledge of what the different settings on their router really mean - especially when it comes to network security. Of course most people on this forum are not "average" or they wouldn't have found this site to begin with.
looney2ns
IPCT Contributor
My new Asus router that I installed a month ago, came with remote access off by default.
I have the AX-55. port forwarding and remote access off by Default.
Now If your a putz, and didn't change the default admin/ pwd settings, your vulnerable to anything.
This thing sat largely as a wifi repeater after i got the Verizon modem/switch.
Earlier this month we had Gateway Fiber connected. Now it's back in a big way.
Because the MyQ Garage door opener, and the Amcrest doorbell, and the Tapo c121, AND her Wyze garbage bedroom paranoia cam,
are all on the wifi network of the Asus SSID "106thAve", AND the LAN IP range of all the cameras and BI machine are all on 192.168.0.xxx,
deep breath...
It was too damn much hassle right now to take down the whole network to get to the Gateway Fiber's Router/switch LAN Ip range of 192.168.40.xxx
with it's limited access APP which allows very little management settings.
I havent gone deep on the Zyxel EX5512-TO yet via Lan. So I've got a Static IP from their modem to a Provided Zyxel router to an ASUS ax-55 at the moment and getting about 320 up and 318 down via LAN and 314down/246up on the mobile phone. the 246 Up congestion is probably because the TAPO and Wyze are multicasting feeds to a Chinese reality TV show probably called ( WhatdatHonkyDoingnow) servers in Hong Kong.
Now If your a putz, and didn't change the default admin/ pwd settings, your vulnerable to anything.
This thing sat largely as a wifi repeater after i got the Verizon modem/switch.
Earlier this month we had Gateway Fiber connected. Now it's back in a big way.
Because the MyQ Garage door opener, and the Amcrest doorbell, and the Tapo c121, AND her Wyze garbage bedroom paranoia cam,
are all on the wifi network of the Asus SSID "106thAve", AND the LAN IP range of all the cameras and BI machine are all on 192.168.0.xxx,
deep breath...
It was too damn much hassle right now to take down the whole network to get to the Gateway Fiber's Router/switch LAN Ip range of 192.168.40.xxx
with it's limited access APP which allows very little management settings.
I havent gone deep on the Zyxel EX5512-TO yet via Lan. So I've got a Static IP from their modem to a Provided Zyxel router to an ASUS ax-55 at the moment and getting about 320 up and 318 down via LAN and 314down/246up on the mobile phone. the 246 Up congestion is probably because the TAPO and Wyze are multicasting feeds to a Chinese reality TV show probably called ( WhatdatHonkyDoingnow) servers in Hong Kong.
Last edited:
It may be worth knowing which routers were affected. I copied the following from "The Register" (May 2025) which was linked in the first post of this thread.
"The specific models affected included the RT-AC3100, RT-AC3200, and RT-AX55. The latter remains one of the more popular Wi-Fi 6 routers to this day, and although the RT-AC3100 and RT-AC3200 are Wi-Fi 5-based, they were both widely used, high-end models when they launched around ten years ago."
At the bottom of the same write up from May 2025:
"It also reminded users that updates alone won't close off the SSH backdoor, so they should check for any signs of compromise.
If users think they may have been hit, or for those who aren't technical enough to check, it's factory-reset time."
From the Nov 2025 write up:
"The affected routers are primarily concentrated in Taiwan and Southeast Asia, with minimal impact on mainland China, Russia, or the United States."
"The specific models affected included the RT-AC3100, RT-AC3200, and RT-AX55. The latter remains one of the more popular Wi-Fi 6 routers to this day, and although the RT-AC3100 and RT-AC3200 are Wi-Fi 5-based, they were both widely used, high-end models when they launched around ten years ago."
At the bottom of the same write up from May 2025:
"It also reminded users that updates alone won't close off the SSH backdoor, so they should check for any signs of compromise.
If users think they may have been hit, or for those who aren't technical enough to check, it's factory-reset time."
From the Nov 2025 write up:
"The affected routers are primarily concentrated in Taiwan and Southeast Asia, with minimal impact on mainland China, Russia, or the United States."