Asus Patches CVE-2023-39780 - 9500 Routers Infected with AyySSHush Botnet

Company Asus has released an official statement about a large-scale botnet attack AyySSHush, which infected more than 9500 routers. The malware uses vulnerability CVE-2023-39780 and is embedded into permanent memory to survive firmware updates and reboots.

The essence of the attack is enabling SSH access via TCP/53282 port and replacing the administrator's public key. The following are used for infection: Password cracking and authentication bypass, which makes the botnet particularly dangerous. Asus confirmed that the exploit has already been fixed in the latest firmware update, and all users are advised to update immediately.

After the update, Asus recommends performing reset to factory settings and ask complex administrator password. For experienced users and those whose models are no longer supported, a temporary solution is offered: disable all remote access features, including SSH, DDNS, AiCloud and WAN access, and make sure port 53282 is not open to the outside.

The company stressed that the problem mainly concerns insecure configurationswhen users leave WAN access active or use weak passwords. Asus also sent push notifications to users of vulnerable models, such as the RT-AX55, calling for a firmware update.

Although the botnet was detected back in March by GreyNoise, activity remains low — allgo 30 network requests in 3 months. However, Asus is calling on router owners check logs for failed login attempts and unknown SSH keys. Home network security depends on careful attention to updates and basic settings.