ASUS Router Flaw Linked to China’s Operation WrtHug Espionage Campaign

The ASUS router flaw has become a central piece of a sprawling global intrusion campaign known as Operation WrtHug, a coordinated effort attributed to a China-aligned threat actor working to compromise outdated ASUS WRT routers and turn them into a worldwide espionage relay network. The campaign leverages vulnerabilities in ASUS’ proprietary AiCloud feature as well as multiple Nth-day security issues to gain high-level privileges on thousands of internet-exposed consumer and small-office routers.

This operation, uncovered through recent analysis by the STRIKE team at SecurityScorecard, reveals a methodical campaign that uses end-of-life (EoL) ASUS router models as operational relay boxes, allowing attackers to route traffic, hide infrastructure, and maintain persistent espionage footholds across geographically strategic locations. The widespread exploitation is enabled through a collection of vulnerabilities including path traversal, OS command injection, and improper authentication controls.

ASUS confirmed and patched a new critical authentication bypass vulnerability in its AiCloud-enabled firmware earlier this week and warned users to update immediately. The company’s advisory outlines urgent mitigation steps for supported firmware series and provides guidance for EoL devices that will not receive updates.

This new flaw, tracked as CVE-2025-59366, now appears connected to the broader threat landscape shaped by Operation WrtHug and related Chinese intrusion campaigns targeting ASUS routers at scale.

How the ASUS Router Flaw Enables Global Espionage Activity

The newly disclosed ASUS router flaw exists within the AiCloud platform, a remote access feature that lets users stream files, access personal cloud storage, or connect to their home networks over the internet. While convenient, AiCloud greatly expands the router’s attack surface and has been a repeated target for attackers in recent years.

According to ASUS, CVE-2025-59366 can be triggered by an unintended interaction with Samba functionality. This flaw allows unauthenticated execution of certain functions on devices running affected firmware. Attackers can combine this weakness with path traversal issues and OS command injection bugs to take full control of vulnerable routers. These exploit chains require no user privileges and no user interaction, and they operate with very low complexity, which makes them appealing to state aligned threat groups and botnet operators.

The flaw impacts the 3.0.0.4_386, 3.0.0.4_388, and 3.0.0.6_102 firmware series, although ASUS has not provided a list of specific router models. For end of life devices, ASUS issued mitigation guidance that includes disabling any services exposed to the internet. This includes WAN facing features such as remote access, port forwarding, DDNS, AiCloud access, VPN servers, DMZ, FTP, and other network functions that are commonly abused in real world attacks.

Operation WrtHug: A China-Linked ORB Campaign Targeting ASUS Routers

The most detailed public analysis of this campaign appears in SecurityScorecard’s report describes a global intrusion effort aimed at end of life ASUS routers. The threat actor takes advantage of Nth day vulnerabilities and frequently abuses the AiCloud interface to gain initial access. STRIKE analysts identified more than fifty thousand unique IP addresses showing signs of compromise over a six month period.

Operation WrtHug operates as a distributed Operational Relay Box network. ORBs are hijacked internet connected devices that function as proxy nodes to hide command and control servers, route espionage traffic, and obscure attribution. This behavior matches patterns seen in other China linked ORB campaigns such as LapDogs and AyySSHush.

A defining trait of WrtHug is the shared TLS certificate found on compromised devices. Every infected router presents the same self signed certificate with a hard coded expiration period set for one hundred years. This certificate appears primarily on AiCloud services, but a smaller group of compromised devices also show it on their administrative web interface, which suggests a deeper level of compromise.

The geographic distribution of infected devices closely aligns with China’s strategic interests. Between thirty and fifty percent of compromised routers are located in Taiwan. Additional concentrations appear in Japan, South Korea, Hong Kong, Southeast Asia, Russia, Central Europe, and the United States. No infections appear on networks in mainland China, which is a pattern often observed in state aligned cyber operations where domestic infrastructure is intentionally excluded from targeting.

The Vulnerabilities Behind the ASUS Router Flaw and WrtHug Intrusions

Operation WrtHug relies on at least six vulnerabilities for initial access. These include:

• CVE-2023-41345 – OS command injection (ASUS WRT)
• CVE-2023-41346 – OS command injection
• CVE-2023-41347 – OS command injection
• CVE-2023-41348 – OS command injection
• CVE-2023-39780 – Severe command injection weakness associated with the above
• CVE-2024-12912 – Arbitrary command execution
• CVE-2025-2492 – Improper authentication control (9.2 CVSS)

CVE-2025-2492, patched earlier in the year, is particularly important because it is known to have been exploited in the wild and used to hijack thousands of routers in Southeast Asia and Europe. It was also the primary entry point for attacks in a separate China-linked ORB campaign.

The newly disclosed CVE-2025-59366 sits within this same chain of weaknesses. The similarity in targeted services, overlapping vulnerabilities, and geographic distribution suggests that the ASUS router flaw is another high-value entry point attackers will continue to leverage.

Why China-Aligned Actors Target ASUS Routers

ASUS maintains a large share of the consumer and small office router market across Taiwan, Southeast Asia, and parts of Europe. These regions are frequent targets of China aligned threat actors, and ASUS devices are especially common in households, small businesses, and remote work environments. Many of these routers run outdated firmware, a significant portion have reached end of life, and users rarely apply patches or disable exposed services like AiCloud.

This combination makes ASUS routers an ideal foundation for ORB networks. Once attackers compromise a device, it can provide:

• Global distribution and geographic diversity for masking command and control traffic
• Persistent access due to outdated firmware and minimal patching
• Proximity to high value geopolitical regions
• Low likelihood of user awareness or intervention
• Opportunities to chain vulnerabilities across AiCloud and administrative web services

Operation WrtHug reflects the same targeting patterns and techniques seen in previous China linked intrusion sets. The narrow focus on ASUS WRT devices, repeated exploitation of AiCloud weaknesses, and complete absence of infections inside mainland China further support this attribution.

Mitigation, Patching, and Recommendations

ASUS advises all users to install the latest firmware immediately. The official advisory is available through the ASUS Product Security Advisory. For EoL models, ASUS recommends disabling any service accessible from the internet to reduce exposure.

Users should:

• Disable AiCloud if not necessary
• Disable WAN administration, DDNS, and port forwarding
• Use strong router admin passwords
• Block all inbound WAN traffic unless essential
• Enable automatic firmware updates where supported
• Monitor router behavior for unexpected reboots, high CPU usage, or certificate changes
• Scan devices for malware using Malwarebytes

Organizations should assess whether any ASUS devices within their environment run AiCloud or older WRT firmware and ensure they are isolated until fully patched.

The ASUS Router Flaw and Its Place in the 2025 Router Threat Landscape

The ASUS router flaw is part of a broader trend in 2025 where state-aligned actors aggressively target small-office routers, home gateways, and aging network appliances to build hidden proxy networks and persistent intrusion points. Consumer routers are often the weakest link in an organization’s external perimeter, especially in hybrid work environments.

Operation WrtHug shows that attackers are transitioning away from brute-force botnet operations toward tailored, strategic campaigns built on Nth-day vulnerabilities and vendor-specific weaknesses. The repeated targeting of AiCloud underscores the risk of embedded convenience features on consumer networking hardware.

For ongoing coverage of major security incidents, global cyber campaigns, and vendor vulnerability disclosures, follow the latest updates in cybersecurity and data breaches.