ASUS Confronts Critical Authentication Bypass Flaws in Routers and PC Software

ASUS has issued an urgent security advisory addressing multiple critical vulnerabilities, including a severe authentication bypass flaw in routers with the AiCloud feature enabled¹. This development, part of a firmware update patching nine security issues, occurs against a backdrop of historical security incidents and ongoing botnet campaigns targeting the company’s hardware. The newly identified flaw, tracked as CVE-2025-59366, carries a CVSS v4.0 score of 9.2 and is described as an unintended side effect of the Samba functionality within AiCloud¹, ². This allows unauthenticated remote attackers to execute specific functions without authorization, which can be chained with a path traversal and OS command injection for greater impact.

Concurrently, a separate critical authentication bypass flaw, CVE-2025-59367 (CVSS 9.3), has been identified in ASUS DSL-series routers, including the DSL-AC51, DSL-N16, and DSL-AC750 models⁴, ⁶. Analysis from the 2600 Facebook group starkly illustrates the risk: “If your router’s management interface is exposed to the internet, an attacker can connect remotely without any credentials. No username. No password. Direct admin access”⁶. These vulnerabilities represent a low-complexity attack vector requiring no user interaction, making them particularly dangerous for exposed devices.

Technical Breakdown of the Router Vulnerabilities

The AiCloud vulnerability (CVE-2025-59366) stems from a flaw in how the Samba service handles authentication for certain functions. This bypass allows an attacker to interact with the router’s administrative interface without providing valid credentials. Once this initial barrier is overcome, an attacker can chain this flaw with a path traversal vulnerability to access restricted directories and, subsequently, leverage an OS command injection to execute arbitrary code on the device¹, ³. The attack is entirely remote and requires no prior configuration or access to the local network, provided the router’s management interface or related services are exposed to the internet.

For the DSL-series routers, the flaw (CVE-2025-59367) appears to be a fundamental failure in the authentication mechanism of the web management interface. The vulnerability completely negates the login process for remote connections, granting immediate administrative control. This type of flaw is a primary target for botnet operators seeking to build networks of compromised devices. ASUS has released patched firmware for the AiCloud flaw in versions 3.0.0.4_386, 3.0.0.4_388, and 3.0.0.6_102, while the DSL-series flaw is addressed in firmware 1.1.2.3_1010¹, ², ⁶.

MyASUS PC Software Vulnerability

Beyond routers, ASUS has also patched a high-severity local privilege escalation flaw in its PC software. Tracked as CVE-2025-59373 (CVSS 8.5), this vulnerability exists in the ASUS System Control Interface, a component of the MyASUS application³. The flaw allows an unprivileged user on a Windows system to plant files in protected directories, leading to arbitrary code execution with SYSTEM-level privileges. This would enable an attacker with initial low-level access to a system to fully compromise it.

The affected software is the MyASUS application, which is prevalent on ASUS laptops, desktops, mini-PCs, and all-in-one systems. Patched versions, ASUS System Control Interface 3.1.48.0 (x64) and 4.2.48.0 (ARM), are available via Windows Update or the ASUS support portal³. This vulnerability highlights the expanding attack surface that includes vendor-supplied support software, which often operates with high levels of system trust.

Historical Context and Ongoing Threats

This is not the first time ASUS has grappled with critical flaws in its AiCloud service. In April 2025, the company patched a similar critical authentication bypass (CVE-2025-2492, CVSS 9.2)⁷, ⁸. These and other vulnerabilities were exploited in the “Operation WrtHug” campaign, which hijacked thousands of end-of-life (EoL) ASUS routers to use as stealth relay nodes¹, ¹⁰. This historical precedent demonstrates a pattern of similar vulnerabilities and confirms that threat actors are actively monitoring for and exploiting these weaknesses.

The situation is compounded by older, yet still actively exploited, flaws. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added older ASUS router vulnerabilities, such as CVE-2023-39780 and CVE-2021-32030, to its Known Exploited Vulnerabilities catalog⁴, ⁹. In June 2025, ASUS issued an official statement specifically addressing CVE-2023-39780, recommending firmware updates, factory resets, and strong passwords for potentially compromised devices⁹. Botnets continue to target these vulnerabilities; the “AyySSHush” botnet compromised over 9,000 ASUS routers in May 2025 to install persistent SSH backdoors, while the “Quad7” botnet targets routers to launch password spray attacks from residential IP addresses, making malicious traffic appear legitimate⁶.

Broader Implications for Network Security

Vulnerabilities in consumer-grade routers are highly prized by threat actors. Compromised routers can be integrated into botnets for Distributed Denial-of-Service (DDoS) attacks, used for cyber espionage, or employed as operational relay boxes to obscure the origin of malicious traffic¹, ⁶. The 2600 Facebook post aptly summarized the concern, stating, “Your router protects your home network from the internet. Or it’s supposed to. Two major vendors just proved it doesn’t”⁶. This underscores a systemic challenge in the consumer networking device market.

While ASUS is a CVE Numbering Authority (CNA) and a member of FIRST, adhering to coordinated vulnerability disclosure processes², the recurrence of similar authentication bypass flaws points to persistent challenges in securing a complex hardware and software ecosystem. The case of TP-Link, mentioned alongside ASUS, highlights a related industry issue where vendors may patch individual bugs but leave underlying problematic code, leading to recurring vulnerabilities⁶. This pattern indicates a need for more robust software development lifecycles and thorough code audits for network infrastructure devices.

Mitigation and Remediation Steps

The primary and most critical action is to apply the available patches immediately. For routers, this means installing the latest firmware from the official ASUS support portal. The AiCloud flaw is patched in firmware series 3.0.0.4_386, 3.0.0.4_388, and 3.0.0.6_102, while the DSL-series flaw is addressed in firmware 1.1.2.3_1010¹, ². For the MyASUS application on PCs, users must verify that the ASUS System Control Interface is updated to version 3.1.48.0 (x64) or 4.2.48.0 (ARM) via Windows Update or the ASUS portal³.

For routers that are end-of-life and no longer receive firmware updates, ASUS recommends a defense-in-depth approach. This includes disabling all internet-facing services such as Remote Access from WAN, Port Forwarding, DDNS, VPN Server, and DMZ¹, ². Furthermore, using strong, unique passwords of 20 or more characters is advised. The most secure long-term solution for EoL devices that cannot be patched is to replace them with a currently supported model that receives regular security updates⁶.

The recurrence of critical vulnerabilities in ASUS products, set against a history of significant security incidents like the 2019 supply chain attack, signals a pressing need for continuous vigilance and proactive patch management. For network defenders, these flaws necessitate immediate action to update affected devices and review network configurations to minimize attack surfaces. The fact that these vulnerabilities are being actively exploited in the wild by botnets for various malicious campaigns elevates the risk from theoretical to imminent. Ensuring the security of network perimeter devices remains a foundational element of a robust security posture.