Greynoise said its internal AI tool (filter) tagged suspicious traffic, designed to disable and exploit TrendMicro-Power’s security feature, Aiprotection, which can be enabled by default for Asus Rouyters.
Trojan Security Network
Developed by TrendMicro, Asus’Aiprotection is a built-in enterprise-class security suite that can be used for its routers that provide real-time threat detection, malware blocking and intrusion prevention using cloud-based intelligence.
After gaining administrative access on the router, bypassing the vulnerability of “login..cgi” (a web-based administrator interface) by brute force or exploiting known authentication, the attacker exploited the command injection flaw of authentication (CVE-2023-39780) to create an empty file to create an empty file to create an empty file.
Doing so activates the BWDPI (Bi-way Web Packet Check) logging feature, an integral part of the Asus Aiprotection Suite designed to check incoming and outgoing traffic. As the login is turned on, an attacker can send the crafted (malicious) payload to the router’s traffic, because BWDPI is not about processing arbitrary data.
In this particular case, the attacker uses it to enable SSH on a non-standard port and add his own keys to create an invisible backdoor. “This configuration change persists between firmware upgrades because of the official ASUS feature being added,” said Greynoise researchers. “If you were exploited before, upgrading the firmware will not remove the SSH backdoor.”
Although Greynoise does not specify a specific CVE to use as an authentication bypass for initial access, ASUS recently acknowledged a critical authentication bypass vulnerability that was tracked as CVE-2025-2492, affecting routers that enable AICloud capabilities.
