Known Asus Vulnerability and Steps to Keep Your Router Safe

Asus today issued a public response to recent online reports that “thousands of Asus routers” have been at risk of a vulnerability that potentially allows remote parties to gain access to the hardware’s administrative access.

The company told me that it “remains fully committed to ensuring the security of its users” and that “firmware update notifications and security recommendations have been issued for supported models,” while offering a checklist of what users can do to keep their devices safe, as mentioned below.

So, what’s the deal?

Asus vulnerability: What it is and what you can do about it

It’s important to note that online security is a matter of degrees. As long as a device is connected to the Internet, there’s a level of risk.

In the case of Asus routers, the risk is higher because, since late 2023, a known coding oversight in its ASUSWRT firmware has been identified, allowing remote parties to potentially gain admin access to the routers silently. This issue was assigned the Common Vulnerabilities and Exposures (CVE) number CVE-2023-39780 (also known as CVE-2023-41346, CVE-2023-41347, and CVE-2023-41348).

Specifically, as described in this detailed GitHub thread, the firmware of the RT-AX55 contained a vulnerability in command injection after authentication, making the router more susceptible to brute-force attacks, where attackers repeatedly attempt multiple combinations of username and password until the correct one is guessed.

To clarify, all routers are susceptible to brute-force attacks. However, the vulnerability, according to Asus’ advisory page, makes its select models more vulnerable when users use weak login credentials. The page also provides information on how to secure them. The vulnerability does not make any Asus router 100% hackable, and Asus has since implemented stricter login requirements for newer models.

In any case, once attackers gain access, they enable SSH via TCP port #53282 and store the backdoor access in the router’s flash memory, ensuring it remains intact even during firmware updates or router restarts. Additionally, the attacker might remove the standard router login, leaving them as the only one with administrative access to the router’s management, which could be used for future purposes, such as launching a botnet attack.

So far, that’s the only known extent of this vulnerability’s “damage”.

Asus vulnerability: How to find out if your router is affected?

Below are the steps to check if your router is affected, according to Asus, which aligns with my recommendations for years.

From a connected computer, try logging in to the router’s web user interface by navigating to its IP address, which is 192.168.50.1 by default, in a browser:

• If you can’t log in for some reason, such as the password no longer working, then your router has likely been compromised.
• Your router might also have been compromised if you can log into its web user interface successfully, but you notice different settings that weren’t there before, such as:
  • New port forwarding entries that you didn’t put in yourself.
  • SSH is turned on (it’s generally off by default), and you didn’t intentionally enable it before.
  • Unusual DNS server settings.

In this case, follow the steps below, recommended by Asus, to rectify the situation, which are common steps in handling any similar situation.

Asus vulnerability: What to do when your router is affected

In the case you believe your router has been compromised, or just to be cautious, here are the steps to rectify the situation and secure your router:

1. If you’re unable to log in, perform a manual factory reset to clear any unauthorized or abnormal settings. Then upgrade it to the latest firmware.
2. If you can log in, update the firmware to the latest version, and then perform a factory reset via the web user interface.
3. Set a strong administrator password, specifically:
   • Use at least 10 characters long, and include uppercase and lowercase letters, numbers, and symbols.
   • Use a different password from the one used for the Wi-Fi network. (The admin password is not used to access the Internet or connect a device to the Wi-Fi network.)
   • Change the default “admin” username to something less obvious.
4. Turn on the router’s built-in AiProtection feature.

Asus says that the steps above are also applicable to its End-of-Life models. However, for these dated routers, you should also disable all Internet-facing features such as SSH, DDNS, AiCloud, FTP, or Web Access from WAN.

All of these features—applicable only when the device is used in its default “router” role and not in any other operation modes, including an AiMesh satellite node, access point, repeater, or media bridge—are disabled by default. If you are unsure how to disable them or where to find them within the interface, simply reset the router to its default settings.

Generally, you should enable these advanced features only when you’re comfortable with port management.

The takeaway

There you go, the situation has not been as dire as you might have read somewhere. At the very worst, your Asus router’s admin access is compromised, and you, the owner, are kicked out of its admin web user interface. If so, you now have a chance to rectify that.

In any case, keeping the admin password secure and your router’s firmware up to date, at least the security portion of it, is all you need to ensure your Wi-Fi device is in good shape. Do that today!