04/18/2025 ASUS Router AiCloud vulnerability

[bennor]

Asus posted a entry on their Product Security Advisory page today (the 18th) about Asus Router AiCloud vulnerability. Asus is recommending one update the firmware to the version released after February 2025.

ASUS Product Security Advisory | ASUS Global

www.asus.com

04/18/2025 ASUS Router AiCloud vulnerability
An improper authentication control vulnerability exists in certain ASUS router firmware series. This vulnerability can be triggered by a crafted request, potentially leading to unauthorized execution of functions.
We have released new firmware update for 3.0.0.4_382, 3.0.0.4_386, 3.0.0.4_388, 3.0.0.6_102 series.

We advise you to check your equipment and security procedures regularly, as this will make you safer. We recommend following these steps:

• Update your router with the newest firmware. We encourage you to do this when new firmware becomes available. You can find the newest firmware on the ASUS support page at https://www.asus.com/support/ or the relevant product page at https://www.asus.com/Networking/.
• Use different passwords for your wireless network and router-administration page. Use passwords that have at least 10 characters, with a mix of capital letters, numbers and symbols. Do not use the same password for more than one device or service. Do not use passwords with consecutive numbers or letters, such as 1234567890, abcdefghij, or qwertyuiop.

If you are unable to update the firmware quickly or the router is end-of-life, please ensure that both your login and WiFi passwords are strong. It is recommended to (1) Disable AiCloud (2) disable any services that can be accessed from the internet, such as remote access from WAN, port forwarding, DDNS, VPN server, DMZ, port triggering, and FTP.

For further help with router setup and an introduction to network security, please visit
How to update the firmware of your router to the latest version?
https://www.asus.com/support/FAQ/1039292

Please update the firmware to the version released after February 2025.

Firmware	CVE
3.0.0.4_382 series	CVE-2025-2492
3.0.0.4_386 series
3.0.0.4_388 series
3.0.0.6_102 series

Edit to add: Note the CVE-2025-2492 applies to all four listed firmware series in the above table.

 

[bennor]

ASUS warns of critical auth bypass flaw in routers using AiCloud

ASUS is warning about an authentication bypass vulnerability in routers with AiCloud enabled that could allow remote attackers to perform unauthorized execution of functions on the device.

www.bleepingcomputer.com

The vulnerability, tracked under CVE-2025-2492 and rated critical (CVSS v4 score: 9.2), is remotely exploitable via a specially crafted request and requires no authentication, making it particularly dangerous.

"An improper authentication control vulnerability exists in certain ASUS router firmware series," reads the vendor's bulletin.

"This vulnerability can be triggered by a crafted request, potentially leading to unauthorized execution of functions."

AiCloud is a cloud-based remote access feature built into many ASUS routers, turning them into mini private cloud servers.

It allows users to access files stored on USB drives connected to the router from anywhere over the internet, stream media remotely, sync files between home networks and other cloud storage services, and share files with others via links.

The vulnerability discovered in AiCloud impacts a broad range of models, with ASUS releasing fixes for multiple firmware branches, including 3.0.0.4_382 series, 3.0.0.4_386 series, 3.0.0.4_388 series, and 3.0.0.6_102 series.

Users are recommended to upgrade to the latest firmware version available for their model, which they can find on the vendor's support portal or the product finder page. Detailed instructions on how to apply firmware updates are available here.

ASUS also advises users to use distinct passwords to secure their wireless network and router administration page, and make sure they're at least 10 characters long with a mix of letters, numbers, and symbols.

Impacted users of end-of-life products are advised to disable AiCloud entirely and turn off internet access for WAN, port forwarding, DDNS, VPN server, DMZ, port triggering, and FTP services.

While there are no reports of active exploitation or a public proof-of-concept exploit for CVE-2025-2492, attackers commonly target these flaws to infect devices with malware or recruit them into DDoS swarms.

Therefore, it is strongly advised that ASUS router users upgrade to the latest firmware as soon as possible.

 

[Ripshod]

Becoming a bit of an open door these days. Probably going to be seeing a lot about this.
It seems though that ever since the exploit earlier this year there's been mentions of stronger aimesh authentication with every single firmware release from Asus. Have they ever fixed this, or is this a permanent achilles heal?
Never used it.

 

[Tech9]

This is the one we already know about. Just some official information released so more people know and update.

 

[bennor]

This is the one we already know about. Just some official information released so more people know and update.

This one is telling people to update the firmware to the version released after February 2025. The previous Asus Product Security notice on 01/02/2025 about AiCloud referenced two earlier CVE's (CVE-2024-12912 and CVE-2024-13062).

 

[Tech9]

So this was the main reason behind second firmware update wave including EoL models. The changelog doesn't say a word about AiCloud.

 

[Viktor Jaep]

Yep. AICloud strikes again. When are these router manufacturers going to just ship routers without all these extra helpful "consumer tools" that in the end aren't very helpful, and time after time, keep making you a target for bad actors. Or at least give you some better options to disable all the garbage.

 

[John Fitzgerald]

I was hoping that this AICloud component would get stripped out of Merlin firmware and that would end the issue for those here and free up some space for @RMerlin 's other work.

 

[belleDESiRE]

Is there a way -for now- to block the ai cloud ports on the router or is rejecting asus's privacy policy enough? (I am guessing that the asus security updates that also needs this privacy policy only apply to stock firmware?)

 

[bennor]

Is there a way -for now- to block the ai cloud ports on the router or is rejecting asus's privacy policy enough? (I am guessing that the asus security updates that also needs this privacy policy only apply to stock firmware?)

Generally disabling the AiCloud feature should be good enough. If you want to try and block the AiCloud ports, the port values are listed on the AiCLoud 2.0 > Settings page (AiCloud Web access port and AiCloud content streaming port). Blocking the default 443 port may impact other services or programs that rely on that port. As to how to block the port, there is the Firewall > Network Services Filter option. However don't know if that applies to services run on the router itself. PS: Or if you have the Asus router connected to an upstream ISP provided router or gateway, maybe you could block the AiCloud ports in the upstream router/gateway.

 

[RMerlin]

Is there a way -for now- to block the ai cloud ports on the router or is rejecting asus's privacy policy enough? (I am guessing that the asus security updates that also needs this privacy policy only apply to stock firmware?)

Just don't enable it.

 

[aex.perez]

Yep. AICloud strikes again. When are these router manufacturers going to just ship routers without all these extra helpful "consumer tools" that in the end aren't very helpful, and time after time, keep making you a target for bad actors. Or at least give you some better options to disable all the garbage.

Just got the advisory email from ASUS this AM, clicking on the Security Advisoy link takes me to their Security Advisory page, clicking on the specific advisory then...

Some what should be obvious, advice:
"Use different passwords for your wireless network and router-administration page. Use passwords that have at least 10 characters, with a mix of capital letters, numbers and symbols. Do not use the same password for more than one device or service. Do not use passwords with consecutive numbers or letters, such as 1234567890, abcdefghij, or qwertyuiop"

Some not so obvious, but to the point of "better options to disable all the garbage":
"If you are unable to update the firmware quickly or the router is end-of-life, please ensure that both your login and WiFi passwords are strong. It is recommended to (1) Disable AiCloud (2) disable any services that can be accessed from the internet, such as remote access from WAN, port forwarding, DDNS, VPN server, DMZ, port triggering, and FTP."

Now the update to the EULA and indemnification, Withdrawing makes a lot more sense, sort of the other shoe dropping, or causation

 

[majika]

Well spotted!

Does anybody have the Asus official DL link for this patched FW?

I cant seem to find any FW newer than the one I currently have installed on my RT-AX89X / XT8's:
Current Version : 3.0.0.4.388_33744-g03a793e
The latest version : The router's current firmware is the latest version.

Strange that the GUI Automatic firmware update is not finding anything?

The latest FW on Asus's site is :
ASUS RT-AX89X Firmware version 3.0.0.4.388_33744
Version 3.0.0.4.388_33744
50.89 MB
2025/03/05 <== (Older date than the discovery of CVE-2025-2492)

 

[Justinh]

Just got the advisory email from ASUS this AM

You got an e-mail? I didn't get any e-mail. How did you get an e-mail?

 

[aex.perez]

You got an e-mail? I didn't get any e-mail. How did you get an e-mail?

I guess it was a result of registering the Router some time ago, don’t actually know. Hadn’t ever got an email from them before, like this. Typically marketing sure, but this Security Advisory was a first for me...

Figured I'd add the email...

 

[KevTech]

I guess it was a result of registering the Router some time ago, don’t actually know.

It is because you subscribed to marketing emails.
You have to uncheck the box for marketing emails in your account or you will get these emails.
EDM stands for Electronic Direct Marketing so you will receive marketing newsletters, product announcements, and promotional offers.
It is at the bottom of your email.

Edit: I have it turned off in my Asus account.

 

[aex.perez]

It is because you subscribed to marketing emails.
You have to uncheck the box for marketing emails in your account or you will get these emails.
EDM stands for Electronic Direct Marketing so you will receive marketing newsletters, product announcements, and promotional offers.
It is at the bottom of your email.

View attachment 65290

Edit: I have it turned off in my Asus account.
View attachment 65291

Yeah I do that, but they do a decent job as those marketing emails come maybe once or twice a month are manageable. Not a bother, more than that, different story