ASUS Routers Hacked in Botnet Attack Using SSH Key

A newly discovered botnet campaign known as “AyySSHush” has compromised more than 9,000 ASUS routers globally, cybersecurity researchers said. The attackers gained persistent remote access by injecting an SSH public key, enabling control that survives reboots and firmware upgrades.

Uncovered in March 2025, the campaign exploits two previously unknown authentication bypass flaws and CVE-2023-39780, a command injection vulnerability in ASUS router firmware. Attackers leverage legitimate router features, such as non-volatile memory (NVRAM) configurations, to ensure persistence without deploying malware.

The operation enables SSH access on port 53282 and disables logging and security protections to avoid detection. GreyNoise identified the activity through its AI-based tool “Sift,” which detected only 30 malicious requests over three months.

ASUS has released patches, but compromised devices remain vulnerable unless fully reset. Security teams are urged to inspect devices for unauthorized SSH services, block four identified IP addresses, and reset affected routers with strong authentication settings.