CVE-2025-2492 is a critical improper authentication vulnerability in the AiCloud functionality of ASUS routers. The flaw can be triggered by a crafted request against routers with AiCloud enabled, allowing a remote attacker to bypass authentication controls and invoke functions without valid credentials. Public reporting describes the issue as enabling unauthorized execution of functions on the device, with downstream consequences including unauthorized configuration changes and potential arbitrary code execution on affected routers.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.
Repository contains a single substantive Go program, origasus.go, plus a README. The code is an operational exploit/scanner targeting ASUS AiCloud/AsusWRT devices and explicitly references a chained attack involving SETROOTCERTIFICATE to write /etc/cert.pem.1 and APPLYAPP/RC_SERVICE to execute commands. It is not merely a detector: it reads targets from stdin or a file, supports optional TLS and multi-port scanning, verifies ASUS-related indicators to reduce false positives, and then attempts exploitation using multiple HTTP request and shell-execution variants. The exploit is structured as a concurrent scanner with global configuration, signal handling, exploited-host tracking, and environment-driven loader customization. It maintains a list of common ASUS management ports, supports host:port parsing or separator-based input, and skips previously exploited hosts unless disabled. The payload logic is the most notable part: it builds several shell-script variants intended to be written to /etc/cert.pem.1, then tries many command-injection forms to execute that file. The staged script attempts to download kla.sh from a configurable loader host over HTTP or raw TCP using wget, busybox wget, curl, nc, or toybox nc, stores it in writable temp locations, marks it executable, and launches it in the background with a campaign tag. Fingerprintable observables include the default loader IP 11.11.11.11, HTTP path /bins/kla.sh, TCP port 3342, target-side file /etc/cert.pem.1, temp directories /dev/shm, /var/tmp, /tmp, and the local bookkeeping file exploited.txt. Overall, this repository is a compact standalone Go-based exploitation utility for mass-targeting vulnerable ASUS router/web-management interfaces, with built-in staging for a second-phase shell payload.
28 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A vulnerability affecting ASUS AiCloud Routers that was exploited from infrastructure linked to UAT-7810 or an associated actor to likely expand the ORB network.
A critical authentication bypass vulnerability affecting ASUS routers with AiCloud enabled, allowing remote unauthenticated attackers to execute unauthorized functions.
A critical ASUS router firmware vulnerability (AiCloud-enabled) involving improper authentication control that allows remote unauthorized function execution.
An improper authentication vulnerability in ASUS routers, exploited by threat actors to gain unauthorized access via the AiCloud service.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.