By NHI Mgmt Group Editorial TeamDomain: Breaches & IncidentsSource: SecurityScorecardPublished November 19, 2025

TL;DR: Thousands of ASUS routers worldwide were compromised through multiple publicly known vulnerabilities, with over 50,000 unique IP addresses observed across the last six months and a distinctive 100-year TLS certificate used to track the campaign, according to SecurityScorecard. The lesson is that unmanaged edge devices create persistent espionage infrastructure long after patching windows close.


At a glance

What this is: Operation WrtHug is a large-scale router compromise campaign that turns ASUS WRT devices into a covert espionage relay network by exploiting known vulnerabilities and exposed services.

Why it matters: It matters because router compromise expands the attack surface beyond endpoints and cloud, forcing IAM, NHI, and network teams to account for unmanaged devices that can provide durable access paths into trusted environments.

By the numbers:

  • The attackers also used vulnerabilities CVE-2024-12912 and CVE-2025-2492, rated 7.2 and 9.2 on the CVSS severity scale.

👉 Read SecurityScorecard’s analysis of Operation WrtHug and ASUS router compromise


Context

Operation WrtHug is a router compromise campaign, not a single-device malware incident. The attackers target ASUS WRT routers through publicly known flaws and remote-access services, which makes the problem one of exposure management as much as patching. For identity and access teams, the lesson is that network edge devices can become trusted footholds even when no human login is involved.

The identity angle sits in the persistence layer. Compromised routers can function as relay infrastructure for covert access, which means secrets, remote administration paths, and service trust boundaries all become part of the governance problem. The article’s starting point is typical of modern edge exploitation: old devices, delayed remediation, and a control gap between vulnerability management and operational visibility.


Key questions

Q: What breaks when internet-facing routers are left on unsupported firmware?

A: Unsupported routers become long-lived footholds because attackers can exploit known flaws after defenders have stopped actively maintaining the device. The break is not only technical. It is governance failure. Once the appliance is end-of-life, patching no longer closes the risk, so organisations must isolate, replace, or remove the device before it becomes relay infrastructure.

Q: Why do exposed edge devices increase espionage risk even without user accounts?

A: Exposed edge devices can be abused as covert infrastructure even when no password theft is involved. Attackers gain persistence by repurposing the device itself, which gives them a concealed path into network traffic and remote access flows. Security teams should treat the device trust boundary as part of identity governance because it can enable access without a human login.

Q: What do security teams get wrong about router patching?

A: Teams often assume patching is the whole answer, but router risk also depends on exposure, lifecycle status, and service configuration. If a device is internet-facing, end-of-life, or still running remote access features, the remaining attack window stays open even after a fix is published. Exposure reduction has to accompany patching.

Q: Who is accountable when a router becomes part of a global botnet or relay network?

A: Accountability usually spans network operations, security architecture, and asset ownership, because the failure sits at the intersection of supportability, exposure management, and remediation. Frameworks such as NIST CSF and NIST SP 800-53 place responsibility on access control, configuration management, and continuous monitoring, so governance must assign ownership before devices age out of support.


Technical breakdown

How Nth day router vulnerabilities become initial access

Nth day vulnerabilities are publicly known flaws that attackers can weaponise after disclosure, often long after defenders assume the exposure window has passed. In this campaign, the attacker chain begins with command injection and authentication weaknesses in ASUS router services, especially AiCloud. Once remote code execution is available, the router becomes a foothold that is difficult to see from the enterprise side because it sits outside normal endpoint telemetry and identity controls.

Practical implication: inventory exposed edge devices and prioritise remediation by internet exposure, not just patch age.

Why end-of-life routers become durable relay infrastructure

End-of-life devices are attractive because they stop receiving meaningful security maintenance while still remaining online and trusted by users. Attackers can keep such devices alive as operational relay boxes, using them for persistence, routing, and concealment rather than noisy destructive activity. That matters because a compromised router is not just a single point of entry. It can become part of a distributed access layer that supports long-running espionage operations.

Practical implication: remove or isolate end-of-life network appliances before they become persistent access infrastructure.

Certificate fingerprints and traffic telemetry as detection signals

The report highlights a shared self-signed TLS certificate with an unusually long expiration period as a campaign fingerprint. That kind of certificate anomaly is useful because it survives across multiple infected devices and gives defenders a way to cluster activity even when IP addresses rotate. In practice, detection must combine network telemetry, certificate analysis, and service exposure checks, because device compromise often looks like ordinary remote administration unless the indicators are correlated.

Practical implication: add certificate and TLS anomaly hunting to network detection workflows for edge devices.


Threat narrative

Attacker objective: The objective is to build a distributed, low-visibility relay infrastructure that supports long-term espionage and operational concealment.

  1. Entry occurs when attackers exploit publicly known ASUS router vulnerabilities in internet-facing services such as AiCloud.
  2. Escalation follows when the flaws provide high-level privileges and allow the device to be repurposed without normal administrative visibility.
  3. Impact is the conversion of compromised routers into a global espionage relay network that supports persistent, concealed operations.
  • MITRE ATT&CK Enterprise Matrix — MITRE ATT&CK Enterprise — adversary tactics and techniques, threat detection, attack chain mapping, credential access, lateral movement, privilege escalation.
  • Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Edge devices are now identity-adjacent infrastructure. Routers are not NHI in the strict sense, but once they become relay points for persistent access, they sit in the same governance conversation as unmanaged machine identities and secrets-bearing services. The control gap is lifecycle blindness: organisations treat edge appliances as networking assets when they are actually access-enabling systems. Practitioners should fold routers, firewalls, and remote-access services into identity-aware governance and exposure management.

Operation WrtHug is a standing-exposure problem, not a patch-only problem. The campaign succeeds because vulnerable, internet-facing services remain reachable long enough for attackers to industrialise exploitation. That means the real failure is not just delayed patching, but the assumption that published fixes automatically remove risk. Security teams need control over exposure duration, asset retirement, and service shutdown decisions, not only vulnerability tickets.

Persistent relay infrastructure changes how defenders should think about lateral movement. A compromised router can support concealed access without looking like a conventional endpoint compromise, which complicates detection and response. This is where network telemetry, certificate anomalies, and asset inventory intersect. The practitioner takeaway is to treat edge compromise as a governance signal that the environment has lost visibility over trust boundaries.

Nth day exploitation is a reminder that exploitability outlives disclosure. The article shows attackers using known flaws against devices that remained online after becoming effectively unsupported. That creates a broader policy problem for enterprises that rely on consumer or small-office hardware in business environments. The practical conclusion is to govern device supportability as a security control, not a procurement afterthought.

From our research:

  • 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
  • Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
  • From our research: Read Top 10 NHI Issues for the control gaps most likely to turn machine trust into attacker access.

What this signals

Edge compromise should now be read as identity governance debt. When routers and other appliances are allowed to linger in an unsupported state, they become access-enabling assets that outlive their intended trust model. That is why lifecycle governance needs to extend beyond accounts and secrets into device supportability, supported by exposure management and continuous monitoring.

Certificate anomaly hunting is becoming a practical control for hidden infrastructure. Shared self-signed TLS certificates, long-lived expiries, and reused fingerprints can expose distributed relay networks that normal asset inventories miss. For practitioners, the operational signal is clear: if a device can provide access, it needs the same detection posture as other trusted infrastructure, not a lighter network-only view.

The broader signal is that security teams need a merged view of asset lifecycle, trust boundaries, and access paths. As edge services become part of attack infrastructure, identity programmes should coordinate more closely with network security and vulnerability management so that retired or exposed devices do not become persistent access infrastructure.


For practitioners

  • Inventory and retire end-of-life routers Identify every internet-facing router and remote-access appliance, then remove or isolate devices that no longer receive security support. Prioritise appliances that expose AiCloud or similar management services because they create the easiest entry path for exploitation.
  • Block exposed management services Disable remote administration and consumer cloud features on edge devices unless there is a documented business need. Where remote access is unavoidable, constrain it to approved management paths and monitor for unexpected service exposure.
  • Hunt for campaign-specific certificate fingerprints Search TLS telemetry for shared self-signed certificates, especially unusual long-lived certificates such as the 100-year expiry pattern described in the report. Use that fingerprint to cluster compromised devices and prioritise containment.
  • Add edge-device exposure to vulnerability governance Tie router and appliance remediation to asset criticality, external reachability, and end-of-life status rather than treating them like ordinary patch backlog items. Include network devices in exposure reviews alongside servers and endpoints.

Key takeaways

  • Operation WrtHug shows that routers can be converted into persistent espionage infrastructure when known flaws remain exposed on end-of-life devices.
  • SecurityScorecard observed over 50,000 unique IP addresses tied to the campaign, underscoring how a single device class can scale into a distributed relay network.
  • The most effective controls are lifecycle retirement, exposure reduction, and certificate-based hunting, not patching alone.

Key terms

  • Nth Day Vulnerability: A publicly known security flaw that remains exploitable after disclosure because systems have not been patched, retired, or isolated. In edge devices, nth day exposure often persists longer than organisations expect because appliances are under-monitored and fall outside standard endpoint governance.
  • Operational Relay Box: A compromised device that attackers repurpose as covert infrastructure for routing, hiding, or sustaining access. The device may not be the final target, but it becomes part of the attacker’s control plane and can support espionage, command traffic, or lateral access.
  • End-Of-Life Device: Hardware or software no longer receiving full vendor support, security updates, or reliable maintenance. These assets can remain connected and trusted in production long after their risk profile has changed, making them attractive for exploitation and persistence.
  • Certificate Fingerprint: A distinctive TLS certificate pattern, such as a shared issuer, subject, or expiry profile, used to identify related infrastructure. Security teams use fingerprints to cluster activity, detect reused attacker tooling, and identify compromised devices that otherwise appear unrelated.

What's in the full report

SecurityScorecard’s full report covers the operational detail this post intentionally leaves for the source:

  • Per-vulnerability breakdown of the ASUS exploit chain, including the initial access paths and affected device services.
  • Campaign tracking logic behind the shared certificate fingerprint and the 100-year expiration indicator.
  • Geographic and telemetry details that show how the infected device population is distributed across regions.
  • Mitigation and compromise-response guidance referenced by ASUS for affected devices.

👉 The full SecurityScorecard report covers exploit details, indicator analysis, and mitigation guidance.

Deepen your knowledge

NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, secrets management, and workload identity. It helps practitioners connect identity controls to the wider trust boundaries that modern security programmes depend on.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org