Operation WrtHug Exploits ASUS Router Flaws, Compromising 50,000+ Devices

Operation WrtHug Compromises ASUS Routers Worldwide

Operation WrtHug, discovered by SecurityScorecard, has compromised over 50,000 end-of-life (EoL) ASUS routers across Taiwan, the U.S., and Russia, leveraging six known vulnerabilities. The campaign utilizes the AiCloud service and a self-signed TLS certificate expiring in 2022 to establish control over the affected devices.

Why This Matters

Ideal network security models assume timely patching and device lifecycle management, but reality often lags. The widespread compromise of EoL devices demonstrates the significant risk posed by unmaintained hardware, with potential costs escalating to large-scale botnet operations and distributed denial-of-service (DDoS) attacks. The lack of security updates on these devices makes them easy targets for attackers.

Key Insights

• 50,000+ routers compromised: Identified unique IP addresses over six months, 2025-11-19.
• ORB similarities: Operation WrtHug shares characteristics with Operational Relay Boxes (ORBs) and other China-linked botnets, like AyySSHush and LapDogs.
• CVE-2023-39780 overlap: This vulnerability is exploited by both WrtHug and the AyySSHush botnet, raising questions about potential connections.

Working Example

(No code provided in context)

Practical Applications

• ISP Monitoring: Internet Service Providers could proactively identify and alert customers using vulnerable ASUS router models.
• Pitfall: Relying on default credentials or failing to apply firmware updates on routers creates an easily exploitable entry point for attackers, leading to complete device compromise.

References:

• https://thehackernews.com/2025/11/wrthug-exploits-six-asus-wrt-flaws-to.html