TL;DR: Thousands of ASUS routers worldwide were compromised through multiple publicly known vulnerabilities, with over 50,000 unique IP addresses observed across the last six months and a distinctive 100-year TLS certificate used to track the campaign, according to SecurityScorecard. The lesson is that unmanaged edge devices create persistent espionage infrastructure long after patching windows close.
NHIMG editorial — based on content published by SecurityScorecard: Operation WrtHug and the compromise of ASUS routers into a global spy network
By the numbers:
- The attackers also used vulnerabilities CVE-2024-12912 and CVE-2025-2492, rated 7.2 and 9.2 on the CVSS severity scale.
Questions worth separating out
Q: What breaks when internet-facing routers are left on unsupported firmware?
A: Unsupported routers become long-lived footholds because attackers can exploit known flaws after defenders have stopped actively maintaining the device.
Q: Why do exposed edge devices increase espionage risk even without user accounts?
A: Exposed edge devices can be abused as covert infrastructure even when no password theft is involved.
Q: What do security teams get wrong about router patching?
A: Teams often assume patching is the whole answer, but router risk also depends on exposure, lifecycle status, and service configuration.
Practitioner guidance
- Inventory and retire end-of-life routers Identify every internet-facing router and remote-access appliance, then remove or isolate devices that no longer receive security support.
- Block exposed management services Disable remote administration and consumer cloud features on edge devices unless there is a documented business need.
- Hunt for campaign-specific certificate fingerprints Search TLS telemetry for shared self-signed certificates, especially unusual long-lived certificates such as the 100-year expiry pattern described in the report.
What's in the full report
SecurityScorecard’s full report covers the operational detail this post intentionally leaves for the source:
- Per-vulnerability breakdown of the ASUS exploit chain, including the initial access paths and affected device services.
- Campaign tracking logic behind the shared certificate fingerprint and the 100-year expiration indicator.
- Geographic and telemetry details that show how the infected device population is distributed across regions.
- Mitigation and compromise-response guidance referenced by ASUS for affected devices.
👉 Read SecurityScorecard’s analysis of Operation WrtHug and ASUS router compromise →
ASUS router compromise: what it means for network defence teams?
Explore further
Edge devices are now identity-adjacent infrastructure. Routers are not NHI in the strict sense, but once they become relay points for persistent access, they sit in the same governance conversation as unmanaged machine identities and secrets-bearing services. The control gap is lifecycle blindness: organisations treat edge appliances as networking assets when they are actually access-enabling systems. Practitioners should fold routers, firewalls, and remote-access services into identity-aware governance and exposure management.
A few things that frame the scale:
- 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: Who is accountable when a router becomes part of a global botnet or relay network?
A: Accountability usually spans network operations, security architecture, and asset ownership, because the failure sits at the intersection of supportability, exposure management, and remediation. Frameworks such as NIST CSF and NIST SP 800-53 place responsibility on access control, configuration management, and continuous monitoring, so governance must assign ownership before devices age out of support.
👉 Read our full editorial: Operation WrtHug shows how router EoL flaws enable espionage