By NHI Mgmt Group Editorial TeamDomain: Cyber SecuritySource: SecurityScorecardPublished December 19, 2025

TL;DR: A campaign that hijacked tens of thousands of ASUS routers through multiple vulnerabilities drew global attention to supply chain cyber risk, router exploitation, and third-party exposure, according to SecurityScorecard’s November 2025 STRIKE Threat Intelligence research into Operation WrtHug. The pattern shows how unmanaged edge devices can become durable footholds when governance does not extend to externalised infrastructure and upstream dependencies.


At a glance

What this is: SecurityScorecard’s November 2025 coverage highlights Operation WrtHug, a campaign that hijacked tens of thousands of ASUS routers by exploiting multiple vulnerabilities across an exposed device population.

Why it matters: It matters because compromised network infrastructure can become a third-party risk amplifier, and IAM, PAM, and security teams need governance models that cover devices, vendors, and downstream trust assumptions, not just internal accounts.

By the numbers:

👉 Read SecurityScorecard's coverage of Operation WrtHug and supply chain cyber risk


Context

Operation WrtHug is a supply chain and infrastructure risk story, not just a router story. The article focuses on how multiple vulnerabilities in ASUS devices were used to hijack tens of thousands of routers, which turns unmanaged edge hardware into a persistent trust problem for enterprises that depend on those networks.

For IAM and NHI practitioners, the identity angle is indirect but real. Once a device becomes an unauthorised control point, it can mediate access, intercept traffic, or support broader compromise paths, which means the governance boundary must extend beyond user accounts and service identities to the infrastructure those identities traverse.

The broader lesson is typical of modern third-party risk: attackers look for weakly governed assets that sit between the enterprise and its suppliers, customers, or remote workers. That makes router hygiene, vendor exposure, and lifecycle oversight part of the identity security conversation even when no credential theft is the first visible event.


Key questions

Q: What breaks when routers used for remote access are compromised?

A: When a router that carries remote access traffic is compromised, the enterprise can lose trust in the path that authenticates, routes, or observes those sessions. That can weaken SSO validation, DNS integrity, and administrative monitoring at the same time. The result is not just network exposure, but a breakdown in the assumptions behind identity controls and session trust.

Q: Why do end-of-life devices increase third-party cyber risk?

A: End-of-life devices increase third-party cyber risk because they often remain in service after patch support ends, leaving organisations dependent on hardware that can no longer be reliably fixed or monitored. Attackers target those devices because they are plentiful, externally reachable, and often overlooked in supplier or branch-office governance. That creates a persistent trust gap at the edge.

Q: How can security teams tell whether edge-device governance is working?

A: Edge-device governance is working when unsupported devices are retired quickly, externally exposed management interfaces are rare, and every router or gateway has an owner, lifecycle state, and patch status. Teams should also see fewer unresolved exceptions in third-party risk reviews and clearer evidence that critical traffic paths are being segmented and monitored.

Q: Who is accountable when a compromised router affects enterprise access?

A: Accountability usually spans infrastructure, network operations, third-party risk, and security leadership, because the failure crosses asset lifecycle, patch governance, and access assurance. Where the router supported regulated or sensitive access, the organisation must also document how the exposure was discovered, contained, and remediated. The key is to assign ownership before compromise, not after.


Technical breakdown

How router vulnerability chains become a control-plane foothold

When multiple router flaws line up, attackers do not need a single perfect exploit. They combine auth bypass, remote code execution, or management interface weaknesses to gain device-level control, then use the router’s privileged network position to observe or redirect traffic. In supply chain terms, the device becomes a trusted intermediary that was never meant to act as an enforcement point for enterprise policy. That is why edge infrastructure can create an access path that looks external but behaves internally once compromised.

Practical implication: inventory internet-exposed routers and remove any device that cannot be patched, isolated, or centrally governed.

Why end-of-life devices create governance debt in third-party risk

End-of-life hardware is dangerous because the vendor may still publish advisories while the device itself no longer receives meaningful protection. Security teams often inherit these assets through branch offices, home workers, or acquired environments, but they are still part of the trust fabric. If patching, segmentation, and admin access control are inconsistent, the organisation is effectively accepting unmanaged privilege at the network edge. That is a governance failure as much as a vulnerability issue.

Practical implication: tie asset lifecycle decisions to third-party risk reviews so unsupported infrastructure is retired or quarantined before attackers reuse it.

How compromised routers amplify identity and access exposure

A hijacked router does not replace IAM, but it can weaken every identity control that depends on transport trust, DNS integrity, or gateway security. Attackers can redirect sessions, degrade monitoring, or place themselves between users and services, which complicates MFA, session validation, and cloud access monitoring. For NHI programmes, the lesson is that secrets and tokens are only as safe as the network paths that move them. Identity security ends up depending on infrastructure governance whether teams planned for that or not.

Practical implication: treat network edge compromise as an identity-adjacent incident and validate session, DNS, and admin-path integrity after exposure.


Threat narrative

Attacker objective: The objective is durable control of globally distributed routers so the attacker can use them as covert infrastructure for espionage, traffic abuse, or future operations.

  1. Entry began with exploitation of multiple ASUS router vulnerabilities across a large installed base of exposed and end-of-life devices.
  2. Escalation followed device takeover, giving attackers persistent control over the router management plane and the network position behind it.
  3. Impact came from mass hijacking of tens of thousands of routers, creating a scalable platform for surveillance, traffic manipulation, and broader operational risk.

NHI Mgmt Group analysis

Third-party risk now includes the network edge, not just the supplier contract. Operation WrtHug shows why organisations that limit third-party risk to software vendors or SaaS access are missing a major exposure class. Routers, gateways, and other edge devices can become untrusted intermediaries even when the rest of the environment is well controlled. Practitioners should treat edge infrastructure as part of the trust perimeter.

Device lifecycle governance is a supply chain control, not an asset-management afterthought. EOL ASUS routers became a practical attack surface because unsupported hardware often remains in service long after ownership, patchability, and monitoring should have ended. That makes lifecycle enforcement a security control with direct relevance to cyber resilience. The governance gap is not lack of alerts, it is persistence of devices that should no longer exist in the trust model.

Identity programmes inherit infrastructure compromise through session and transport trust. Once an attacker owns the router, they can undermine the conditions that IAM and NHI controls assume are stable, including path integrity, DNS resolution, and administrative reachability. This is where network security and identity security intersect: secrets, tokens, and sessions depend on the integrity of the channels carrying them. Practitioners should assume network-edge compromise can invalidate otherwise sound access policies.

Supply chain security needs a more explicit concept of exposed trust intermediaries. A useful term here is edge trust collapse: the point at which an enterprise keeps trusting network infrastructure that can no longer be verified, patched, or monitored at a level that matches its role. In practice, that means organisations should classify routers and similar devices by their trust function, not just by their hardware category.

Security coverage has to move from alerting on compromise to reducing the count of compromise-ready assets. The volume of reporting around this campaign reflects a wider reality: defenders are still exposed to large populations of unmanaged devices that can be turned quickly into infrastructure. That is a governance problem, not a detection problem. The practitioners who reduce exposure fastest are the ones who retire unsupported devices first.

What this signals

Edge trust collapse: if a network device can mediate access, it belongs in the same governance conversation as accounts, secrets, and service identities. Programmes that separate device hygiene from identity assurance will keep rediscovering the same exposure through different incident types. The practical shift is to align network-edge inventory with access-path risk, not just with asset management.

Where organisations have already experienced or suspect a breach of non-human identities, the research baseline suggests the problem is not hypothetical. That makes router compromise and adjacent infrastructure abuse part of the same operational pattern: unmanaged trust objects grow faster than teams can verify them. The response is to reduce the number of compromise-ready assets before they become incident fodder.

For identity leaders, the most useful next step is to make network-edge compromise a trigger for identity and session review, not only for network remediation. That means pairing routing and DNS checks with token review, privileged session validation, and supplier exposure analysis. The better the linkage between infrastructure telemetry and access governance, the less likely a hijacked device is to become a long-lived trust anchor.


For practitioners

  • Map edge-device trust dependencies Identify routers, gateways, and similar devices that sit on user, branch, or supplier paths, then document which identity and application flows depend on them. Use that inventory to prioritise devices that can affect authentication paths, DNS, or remote access. A clean inventory makes exposure visible before attackers do.
  • Retire or isolate end-of-life hardware Remove unsupported devices from any environment where they can mediate enterprise traffic or admin access. If immediate replacement is impossible, quarantine them behind strict segmentation and deny internet-exposed management interfaces. Unsupported hardware should not remain on a trusted access path.
  • Validate session integrity after perimeter compromise After router exposure, review whether VPN, SSO, DNS, and privileged administrative sessions traversed the affected network path. Reauthenticate critical access, inspect for anomalous redirects, and treat the device compromise as potentially identity-adjacent. This is especially important where service tokens or admin sessions may have passed through the device.
  • Align third-party risk reviews to device lifecycle Add hardware lifecycle status, patchability, and monitoring coverage to third-party risk reviews so obsolete infrastructure cannot hide behind vendor ownership or branch-office ambiguity. Tie this to control checks in the same way you would track orphaned accounts or stale secrets.

Key takeaways

  • Operation WrtHug shows that router compromise is a third-party and supply chain problem, not only a network problem.
  • The scale of hijacked ASUS devices demonstrates how quickly unmanaged edge infrastructure can turn into persistent trust exposure.
  • Retiring unsupported devices and validating session trust are the controls most likely to reduce this attack pattern.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK address the attack surface, NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the technical controls, and ISO/IEC 27001:2022 define the regulatory obligations.

FrameworkControl / ReferenceRelevance
MITRE ATT&CKTA0001 , Initial Access; TA0004 , Privilege Escalation; TA0011 , Command and ControlThe campaign chained device exploitation into persistent control of exposed routers.
NIST CSF 2.0PR.AC-3The article centres on trust boundaries and access control across exposed infrastructure.
NIST SP 800-53 Rev 5IA-5Credential and management-plane integrity depend on secure authenticator management.
CIS Controls v8CIS-1 , Inventory and Control of Enterprise AssetsUnsupported routers become invisible attack surface when asset inventory is incomplete.
ISO/IEC 27001:2022A.8.1The campaign shows why asset management must cover devices that support sensitive traffic.

Apply IA-5 to management access for routers and similar infrastructure, including rotation and revocation of admin credentials.


Key terms

  • Extension Trust Collapse: Extension trust collapse is the failure that occurs when a marketplace-listed plugin is treated as low-risk even though it can read secrets, access identity context, and run code inside a developer workstation. The trust boundary disappears before the organisation has applied control checks, allowing hidden abuse to look like normal productivity software.
  • Third-Party Risk Amplifier: A supplier, device, or external dependency that increases the impact of a compromise by sitting between the organisation and its normal controls. These amplifiers often do not hold data themselves, but they can mediate access, redirect traffic, or extend an attacker’s reach into trusted environments.
  • Exposed Trust Intermediate: An asset that sits in the middle of a communications path and is assumed to be reliable even though it is reachable by attackers or poorly governed. Routers, gateways, and similar edge devices can become exposed trust intermediates when lifecycle management and patching fail.
  • Runtime Trust: Runtime trust is the idea that access should remain valid only while current context justifies it. Instead of trusting a setup decision indefinitely, teams continuously re-evaluate whether a workload or agent still deserves privilege. This approach is especially important for AI agents that can change behaviour mid-task.

What's in the full article

SecurityScorecard's full coverage leaves the operational detail for the source:

  • Global press roundup showing how different regions framed the same router-hijack campaign and what that means for threat visibility.
  • STRIKE Threat Intelligence context on Operation WrtHug, including the scale of ASUS device exposure and the vulnerability chain behind it.
  • Supplier and edge-device risk implications that sit beyond the headlines and matter for third-party governance.
  • Commentary on holiday shopping scams and breach reporting that extends the article beyond the router case itself.

👉 SecurityScorecard's full November 2025 coverage adds the global media context and STRIKE research details.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management. It helps practitioners connect identity controls to the broader access and trust relationships that modern environments depend on.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 12, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org