Critical Security Flaw Discovered in Asus Routers

A significant security vulnerability has been identified in the AiCloud service of Asus routers, allowing unauthorized users to execute commands on certain models, according to the manufacturer.

The flaw, categorized under CVE-2025-2492, has been assigned a critical risk rating of 9.2 on the Common Vulnerability Scoring System (CVSS). Asus has highlighted that the security issue stems from inadequate authentication controls within the AiCloud, which can be exploited through manipulated requests to gain unauthorized access to router functions.

Asus did not disclose specific details about potential exploitation methods. However, the AiCloud software is designed to facilitate remote access to files and data stored on home networks. In response to this vulnerability, Asus has released updated firmware versions aimed at addressing the issue for specific router series.

Users are strongly encouraged to install the new firmware available on the Asus support website, which can be accessed by searching for the router's model number. Asus also recommends implementing strong password protocols, advising that the Wi-Fi and router administration passwords should be distinct. Passwords should ideally consist of a minimum of ten characters and include a mix of uppercase and lowercase letters, numbers, and special symbols. Asus specifically cautions against using simple sequences of numbers or letters, which can be easily guessed.

For those unable to apply the firmware update--particularly individuals using devices that have reached the end of their support life--Asus advises strengthening existing router and Wi-Fi passwords. Furthermore, users should consider disabling the AiCloud service and any other features that allow internet access, such as remote WAN access, port forwarding, Dynamic DNS, VPN servers, and FTP services.

This latest vulnerability follows a series of security concerns that were reported in January, where similar issues in the AiCloud service could have led to complete device compromise. Asus had previously distributed firmware updates to mitigate those risks as well.