Rewrite the
GreyNoise said its in-house AI tool, SIFT, flagged suspicious traffic aimed at disabling and exploiting a TrendMicro-powered security feature, AiProtection, enabled by default on Asus routers.
Trojanizing the safety net
Asus’ AiProtection, developed with TrendMicro, is a built-in, enterprise-grade security suite for its routers, offering real-time threat detection, malware blocking, and intrusion prevention using cloud-based intelligence.
After gaining administrative access on the routers, either by brute-forcing or exploiting known authentication bypass vulnerabilities of “login.cgi” — a web-based admin interface, the attackers exploit an authenticated command injection flaw (CVE-2023-39780) to create an empty file at /tmp/BWSQL_LOG.
Doing this activates the BWDPI (Bidirectional Web Data Packet Inspection) logging feature, a component of Asus’ AiProtection suite aimed at inspecting incoming and outgoing traffic. With logging turned on, attackers can feed crafted (malicious) payloads into the router’s traffic, as BWDPI is not meant to handle arbitrary data.
In this particular case, the attackers use this to enable SSH on a non-standard port and add their own keys, creating a stealthy backdoor. “Because this key is added using the official Asus features, this config change is persisted across firmware upgrades,” GreyNoise researchers said. “If you’ve been exploited previously, upgrading your firmware will NOT remove the SSH backdoor.”
While GreyNoise did not specify a particular CVE used as an authentication bypass for initial access, Asus recently acknowledged a critical authentication bypass vulnerability, tracked as CVE-2025-2492, affecting routers with the AiCloud feature enabled.
in well organized HTML format with all tags properly closed. Create appropriate headings and subheadings to organize the content. Ensure the rewritten content is approximately 1500 words. Do not include the title and images. please do not add any introductory text in start and any Note in the end explaining about what you have done or how you done it .i am directly publishing the output as article so please only give me rewritten content. At the end of the content, include a “Conclusion” section and a well-formatted “FAQs” section.
