Operation WrtHug refers to a widespread compromise of end-of-life (EoL) ASUS routers, where attackers exploit previously disclosed vulnerabilities to gain control over large numbers of unsupported devices. The activity has impacted tens of thousands of systems, with most cases identified in Taiwan, the United States, and Russia. Current assessments suggest that the operation may be associated with China-linked threat actors, underscoring the persistent security risks posed by outdated network infrastructure that no longer receives firmware updates.
Executive Summary
Operation WrtHug is a wide-scale compromise of unsupported or end-of-life (EoL) ASUS WRT routers, identified by SecurityScorecard’s STRIKE team. The intrusion leverages unpatched flaws in ASUS WRT firmware to gain privileged access, primarily through the misuse of the proprietary AiCloud remote storage service. Once access is obtained, attackers deploy persistent control mechanisms that survive reboot cycles and firmware updates, leaving devices vulnerable to long-term unauthorized use.
Affected routers span multiple discontinued AC-series and AX-series models, with infections most prevalent in Taiwan, the United States, and Russia, along with additional cases reported in Southeast Asia and Europe. The compromised devices share a unique self-signed TLS certificate created in April 2022 and valid for 100 years, making it a reliable indicator for identifying infected systems at scale. This demonstrates a growing pattern of threat actors exploiting outdated network infrastructure, where unsupported edge devices provide long-term, low-visibility access points for unauthorized operations.
Attack Methodology
Operation WrtHug begins by exploiting command injection weaknesses and other known flaws affecting ASUS WRT routers, particularly older AC-series and AX-series devices. The attackers make extensive use of ASUS AiCloud, a proprietary cloud-access service, to gain high-privilege execution and deploy persistent control.
Exploited Vulnerabilities
The table below details the key CVEs, their impacts, and prerequisites:
| CVE ID | Impact | Exploit Prerequisites | CVSS Score |
|---|---|---|---|
| CVE-2023-41345 | OS command injection | Authenticated access, token module flaw | 8.8 |
| CVE-2023-41346 | OS command injection | Authenticated access, token module flaw | 8.8 |
| CVE-2023-41347 | OS command injection | Authenticated access, token module flaw | 8.8 |
| CVE-2023-41348 | OS command injection | Authenticated access, token module flaw | 8.8 |
| CVE-2024-12912 | Arbitrary command execution | Remote access via AiCloud | 7.2 |
| CVE-2025-2492 | Unauthorized function execution | Improper authentication control | 9.2 |
Affected Router Models
The following ASUS router models are known to be targeted in Operation WrtHug:
- ASUS Wireless Router 4G-AC55U
- ASUS Wireless Router 4G-AC860U
- ASUS Wireless Router DSL-AC68U
- ASUS Wireless Router GT-AC5300
- ASUS Wireless Router GT-AX11000
- ASUS Wireless Router RT-AC1200HP
- ASUS Wireless Router RT-AC1300GPLUS
- ASUS Wireless Router RT-AC1300UHP
Campaign Capabilities
- Execute commands remotely without proper authentication
- Abuses the proprietary AiCloud service to establish unauthorized high-privilege access using legitimate built-in features
- Installs persistent SSH backdoors that survive reboots and firmware updates, ensuring long-term device control
- Deploys a shared long-term TLS certificate to enable encrypted botnet communication and evade fingerprint-based detection
- Converts compromised routers into encrypted relay nodes for proxying malicious traffic and expanding botnet infrastructure
Visual Flow
Initial Access -> Exploitation of Outdated Firmware & N-day Vulnerabilities(CVE-2023-41345/46/47/48, CVE-2024-12912, CVE-2025-2492) -> Stealth Payload Delivery via AiCloud & Web Interface Abuse(SSH backdoor + certificate spoofing) -> Execution & Persistence (Root access, commands injected without UI change, SSH persistence, TLS certificate replacement valid for 100 years) -> Command & Control (Proxy routing via hijacked routers, shared 1894a6800dff523894eba7f31cea8d05d51032b4 TLS cert, dual-compromised IP overlap with AyySSHush) -> Impact (Espionage infrastructure building, covert C2 proxying, data exfiltration, targeted regional focus – Taiwan, SE Asia, U.S.)
Indicators of Compromise
SHA-1:
- 1894a6800dff523894eba7f31cea8d05d51032b4 (WrtHug TLS certificate thumbprint)
IPv4 (Dual-compromised – WrtHug/AyySSHush):
- 46[.]132.187.85
- 46[.]132.187.24
- 221[.]43.126.86
- 122[.]100.210.209
Additional Malicious IPv4:
- 59[.]26.66[.]44
- 83[.]188.236[.]86
- 195[.]234.71[.]218
Tactics and Techniques include:
The “Operation WrtHug” campaign demonstrates the following tactics and techniques:
- TA0001 – Initial Access: The attackers exploit publicly known vulnerabilities in ASUS WRT routers to gain initial access.
- T1190 – Exploit Public-Facing Application: The attackers target the ASUS AiCloud service to exploit known vulnerabilities in the routers.
- TA0002 – Execution: The attackers use command injection and scripting interpreters to execute malicious commands on the compromised routers.
- T1059 – Command and Scripting Interpreter: The attackers use command and scripting interpreters to execute malicious commands within the compromised routers.
- TA0003 – Persistence: The attackers establish persistent backdoors via SSH, often abusing legitimate router features to ensure their presence survives reboots or firmware updates.
- T1547 – Boot or Logon Autostart Execution: The attackers configure malicious scripts to execute automatically upon system startup, maintaining persistent access.
- TA0004 – Privilege Escalation: The attackers exploit vulnerabilities to gain elevated privileges on the compromised routers.
- T1068 – Exploitation for Privilege Escalation: The attackers exploit vulnerabilities to gain elevated privileges on the compromised routers.
Mitigation & Recommendations
- Discontinue Use: Replace the affected routers with newer, supported models.
- Disable Remote Access: If replacement is not immediately possible, disable remote access features like AiCloud to reduce the attack surface.
- Monitor Network Traffic: Implement network monitoring solutions to detect unusual activity originating from these devices.
Instantly Fix Risks with Saner Patch Management
Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.
It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.
Experience the fastest and most accurate patching software here.