GreyNoise said its in-house AI tool, SIFT, flagged suspicious traffic aimed at disabling and exploiting a TrendMicro-powered security feature, AiProtection, enabled by default on Asus routers.
Trojanizing the safety net
Asusā AiProtection, developed with TrendMicro, is a built-in, enterprise-grade security suite for its routers, offering real-time threat detection, malware blocking, and intrusion prevention using cloud-based intelligence.
After gaining administrative access on the routers, either by brute-forcing or exploiting known authentication bypass vulnerabilities of ālogin.cgiā ā a web-based admin interface, the attackers exploit an authenticated command injection flaw (CVE-2023-39780) to create an empty file at /tmp/BWSQL_LOG.
Doing this activates the BWDPI (Bidirectional Web Data Packet Inspection) logging feature, a component of Asusā AiProtection suite aimed at inspecting incoming and outgoing traffic. With logging turned on, attackers can feed crafted (malicious) payloads into the routerās traffic, as BWDPI is not meant to handle arbitrary data.
In this particular case, the attackers use this to enable SSH on a non-standard port and add their own keys, creating a stealthy backdoor. āBecause this key is added using the official Asus features, this config change is persisted across firmware upgrades,ā GreyNoise researchers said. āIf youāve been exploited previously, upgrading your firmware will NOT remove the SSH backdoor.ā
While GreyNoise did not specify a particular CVE used as an authentication bypass for initial access, Asus recently acknowledged a critical authentication bypass vulnerability, tracked as CVE-2025-2492, affecting routers with the AiCloud feature enabled.
