- ASUS patches a 9.2-rated security flaw in certain routers
- The flaw stems from AiCloud, a personal cloud server feature
- There’s no evidence of abuse yet, but users should be wary
ASUS has released a fix for a critical-severity vulnerability affecting routers with AiCloud enabled which could allow threat actors to execute functions on the exposed devices remotely and without authorization.
It is tracked as CVE-2025-2492, and was given a severity score of 9.2/10 (critical). It can be exploited via a custom-tailored request.
“This vulnerability can be triggered by a crafted request, potentially leading to unauthorized execution of functions,” the NVD page reads.
Safeguarding the device
AiCloud is a feature integrated into many ASUS routers that transforms the home network into a personal cloud server.
Users can then access, stream, sync, and share files stored on USB drives connected to the router from anywhere with an internet connection.
The flaw was found in firmware versions released after February 2025, meaning: 3.0.0.4_382, 3.0.0.4_386, 3.0.0.4_388, and 3.0.0.6_102.
According to CyberInsider, such features “often become attractive targets” for threat actors, since they are exposing sensitive data to the internet.
Therefore, it would be wise not to delay deploying the patch. Depending on the model, there are different firmware versions that can be downloaded directly from the ASUS website.
The flaw also affects a few devices that reached end-of-life, which should now have AiCloud entirely disabled. Internet access for WAN should also be disabled, as well as port forwarding, DDNS, VPN server, DMZ, port triggering, and FTP services.
The company did not say if the flaw is being abused in the wild or not, but at press time, it was not added to CISA’s KEV, which is usually a good litmus paper for actively exploited flaws.
According to BleepingComputer, the critical CVSS rating “implies the exploitation could have a significant impact.” ASUS also told its users to use unique, strong passwords to secure their wireless networks and router administration pages.
That means making passwords at least 10 characters long, and making them a mix of lowercase and uppercase letters, numbers, and special symbols.
Leave a comment