GreyNoise said its in-house AI tool, SIFT, flagged suspicious traffic aimed at disabling and exploiting a TrendMicro-powered security feature, AiProtection, enabled by default on Asus routers.
Trojanizing the safety net
Asus’ AiProtection, developed with TrendMicro, is a built-in, enterprise-grade security suite for its routers, offering real-time threat detection, malware blocking, and intrusion prevention using cloud-based intelligence.
After gaining administrative access on the routers, either by brute-forcing or exploiting known authentication bypass vulnerabilities of “login.cgi” — a web-based admin interface, the attackers exploit an authenticated command injection flaw (CVE-2023-39780) to create an empty file at /tmp/BWSQL_LOG.
Doing this activates the BWDPI (Bidirectional Web Data Packet Inspection) logging feature, a component of Asus’ AiProtection suite aimed at inspecting incoming and outgoing traffic. With logging turned on, attackers can feed crafted (malicious) payloads into the router’s traffic, as BWDPI is not meant to handle arbitrary data.
In this particular case, the attackers use this to enable SSH on a non-standard port and add their own keys, creating a stealthy backdoor. “Because this key is added using the official Asus features, this config change is persisted across firmware upgrades,” GreyNoise researchers said. “If you’ve been exploited previously, upgrading your firmware will NOT remove the SSH backdoor.”
While GreyNoise did not specify a particular CVE used as an authentication bypass for initial access, Asus recently acknowledged a critical authentication bypass vulnerability, tracked as CVE-2025-2492, affecting routers with the AiCloud feature enabled.
