ASUS Releases Emergency Firmware Update After Discovery of Critical AiCloud Vulnerability

Listen to this Post

Featured Image

Introduction

ASUS has pushed a high-priority firmware update after researchers uncovered multiple security flaws inside its router ecosystem, including a severe authentication bypass that places countless home and enterprise networks at risk. The most dangerous flaw, labeled CVE-2025-59366 with a CVSS score of 9.2, affects routers running AiCloud, a feature that turns ASUS devices into personal cloud servers. The discovery has reignited concerns about the security posture of widely deployed consumer networking gear, especially those that remain unpatched or have already reached end of life. This incident serves as another reminder that remote access features, while convenient, often introduce stealthy attack surfaces that cybercriminals eagerly exploit.

the Original

Critical Firmware Release Addressing Nine Security Flaws

ASUS has delivered a new firmware package designed to fix nine vulnerabilities reported in its routers, including a critical authentication bypass categorized under CVE-2025-59366 with a high severity score of 9.2. According to the advisory, ASUS confirmed the flaws were introduced through an unintended interaction with Samba components inside the AiCloud service. This interaction allowed certain router functions to be executed without proper authentication, opening the door to unauthorized access by remote attackers.

Direct Advisory From ASUS Security Team

In the published notice, ASUS strongly urged all users to upgrade their firmware immediately. The company emphasized that the vulnerabilities affect routers with AiCloud enabled, a feature used to offer personal cloud storage and remote multimedia streaming. Because AiCloud exposes components to the internet, it created an especially tempting entry point for threat actors.

Affected Firmware Versions and Patch Availability

The new security patches apply to various firmware branches, including the 3.0.0.4_386, 3.0.0.4_388, and 3.0.0.6_102 series. ASUS listed the exact CVEs covered in the update, among them CVE-2025-59365, CVE-2025-59366, CVE-2025-59368, CVE-2025-59369, CVE-2025-59370, CVE-2025-59371, CVE-2025-59372, and CVE-2025-12003. Users running any routers on these firmware lines were told to upgrade immediately.

Guidance for End-of-Life Models

Beyond active products, ASUS also shared mitigation steps for customers still relying on unsupported or end-of-life units. Because these devices will not receive patches, the company advised using strong and unique credentials, disabling external-facing services like AiCloud and WAN remote access, and avoiding features such as port forwarding, DDNS, DMZ, VPN server, and FTP unless absolutely necessary.

Growing Attacks on Legacy ASUS Routers

This warning comes amid rising exploitation activity targeting outdated ASUS devices. A large-scale malicious operation known as Operation WrtHug has already infected tens of thousands of unpatched routers across regions like Taiwan, the United States, and Russia. Attackers in these campaigns have abused several known flaws, including OS command injection bugs (CVE-2023-41345 to CVE-2023-41348), arbitrary command execution (CVE-2024-12912), and improper authentication issues (CVE-2025-2492), often relying on AiCloud as an initial access vector.

What Undercode Say:

The Expanding Attack Surface of Consumer Networking

The latest ASUS disclosure illuminates a recurring theme in cybersecurity, particularly for consumer networking equipment. Remote services bundled into modern routers create an ecosystem where convenience and risk sit side by side. Features like AiCloud are designed with usability in mind, yet they inherently expose new interfaces to the internet. Each interface becomes an unintentional invitation for adversaries to probe, manipulate, and eventually compromise devices that were never designed for enterprise-grade hardening.

Authentication Bypass as a Critical Failure

The authentication bypass tagged as CVE-2025-59366 demonstrates how a single logic flaw in one internal module can ripple through the entire router stack. When Samba interacts with authentication improperly, the door effectively swings open. Attackers do not need sophisticated payloads; they simply step through the flaw and execute commands as if they already belong inside the network perimeter. This vulnerability type is particularly dangerous because it undermines the core principle of access control, rendering even strong passwords irrelevant.

Legacy Routers as Persistent High-Value Targets

As ASUS devices reach end of life, many remain operational in homes and small businesses. These routers become easy prey for botnets because they offer high availability, predictable firmware, and zero patching. Operation WrtHug illustrates this pattern perfectly. Threat actors no longer need to look for zero-days when unpatched routers are scattered across the internet like abandoned buildings. These devices are quietly absorbed into malicious networks used to launch DDoS attacks, host payloads, or proxy criminal traffic.

The Problem With Internet-Facing Convenience Features

Each convenience feature, from DDNS to remote media streaming, expands the threat surface. Manufacturers typically enable such capabilities to compete in crowded markets, yet these functions are seldom maintained with the same rigor as enterprise cloud services. When individuals configure these services without understanding their security implications, attackers capitalize on the oversight. The latest ASUS advisory essentially encourages users to roll back these conveniences in exchange for security.

Strategic Lessons From the Disclosure

The incident underlines two major lessons. First, consumer networking hardware must be treated as a critical asset rather than a passive appliance. Second, patch cycles are not optional, especially when vendors explicitly identify active exploitation. ASUS gave a clear directive: update immediately or disable internet-exposed features. The stakes are not limited to a slow network or malfunctioning device. Compromised routers allow adversaries to monitor traffic, steal data, inject malicious payloads, or participate in large-scale attacks.

🔍 Fact Checker Results

The authentication bypass exists within AiCloud and is confirmed as CVE-2025-59366. ✅

Operation WrtHug is actively compromising outdated ASUS routers in multiple countries. ✅

ASUS provided full patches for supported models but not for end-of-life devices. ❌ (End-of-life models have only mitigations, not patches.)

📊 Prediction

ASUS routers will remain a priority target for attackers, especially those ignoring firmware updates.
Botnet operators will continue exploiting neglected end-of-life devices to expand their infrastructure.
Vendors may begin limiting remote-access features by default as pressure grows to reduce consumer-side exposure.

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: securityaffairs.com
Extra Source Hub (Possible Sources for article):
https://www.quora.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon