Router Revolution: The WrtHug Takeover

Thousands of ASUS WRT routers, primarily older or outdated models, have fallen victim to a widespread cyber attack known as Operation WrtHug, which exploits six critical vulnerabilities.

Scanning activities over the last half-year have uncovered approximately 50,000 unique IP addresses globally, indicating the scale of the compromised ASUS devices.

Most of the affected routers are located in Taiwan, with others scattered across Southeast Asia, Russia, Central Europe, and the United States.

Interestingly, there have been no reported infections in China, suggesting a potential origin within the country. However, conclusive evidence for attribution remains elusive.

Researchers from SecurityScorecard’s STRIKE team have hinted at a possible link between Operation WrtHug and the AyySSHush campaign, initially documented by GreyNoise in May.

WrtHug attacks

The attack campaign begins by exploiting command injection vulnerabilities and other known security flaws present in ASUS WRT routers, predominantly targeting AC-series and AX-series devices.

According to STRIKE researchers, the WrtHug operation likely capitalizes on the following vulnerabilities during its attacks:

• CVE-2023-41345/46/47/48 – Exploiting OS command injection via token modules
• CVE-2023-39780 – Utilizing a major command injection flaw (also utilized in the AyySSHush campaign)
• CVE-2024-12912 – Enabling arbitrary command execution
• CVE-2025-2492 – Exploiting improper authentication control leading to unauthorized function execution

Among these vulnerabilities, CVE-2025-2492 stands out due to its critical severity rating. An ASUS security advisory issued in April highlighted the seriousness of this flaw, particularly when triggered by a crafted request on routers with the AiCloud feature enabled.

SecurityScorecard’s recent report suggests that attackers leveraged the ASUS AiCloud service to orchestrate a targeted global intrusion. An identifying factor of compromise in this campaign is the presence of a self-signed TLS certificate in AiCloud services, which replaced the standard ASUS-generated certificate in 99% of compromised devices. Notably, the new certificate boasts a 100-year lifespan, significantly longer than the original 10-year validity period, attracting attention from researchers who utilized it to pinpoint 50,000 infected IPs.

Similar to the AyySSHush campaign, the attackers neglect to update the compromised device’s firmware, leaving it vulnerable to subsequent exploitation by other threat actors.

Based on indicators of compromise, STRIKE researchers have identified specific ASUS models targeted by Operation WrtHug, including the ASUS Wireless Router 4G-AC55U, ASUS Wireless Router 4G-AC860U, ASUS Wireless Router DSL-AC68U, ASUS Wireless Router GT-AC5300, ASUS Wireless Router GT-AX11000, ASUS Wireless Router RT-AC1200HP, ASUS Wireless Router RT-AC1300GPLUS, and ASUS Wireless Router RT-AC1300UHP.

STRIKE speculates that the compromised routers could serve as operational relay boxes (ORB) in Chinese hacking operations, functioning as covert relay nodes to proxy and conceal command-and-control infrastructure. However, the report does not delve into post-compromise operations or provide specific operational details.

ASUS has released security updates addressing all vulnerabilities exploited in the WrtHug attacks, urging router owners to promptly update their firmware to the latest version available.

For devices no longer under support, users are advised to either replace them or disable remote access features as a precautionary measure.

Additionally, ASUS recently patched CVE-2025-59367, an authentication bypass flaw affecting several AC-series models. Although not yet exploited, this vulnerability could potentially be exploited by attackers in the future.

From managing old keys to securing AI-generated code, this comprehensive guide assists teams in building a secure foundation from the outset.

Download the cheat sheet now to streamline secrets management and enhance security protocols.

Download Now