• Maggie MacAlpine
• June 3, 2025
• No Comments

Introduction: A Breach Beyond the Endpoint
A new campaign targeting ASUS routers has compromised more than 9,000 devices worldwide, exposing a hidden weakness in many organizations’ security strategies: insufficient visibility and control at the edge. The attack, dubbed ViciousTrap, exploits CVE-2023-39780—a command injection vulnerability—to deploy malware that persists even after reboots and firmware updates. (Cybersecurity Dive)

While most cybersecurity budgets focus on endpoints and cloud applications, this attack proves that threat actors are increasingly targeting overlooked infrastructure. For CISOs and security leaders, it’s a clear signal that modern threat detection and response strategies must include routers, IoT, and unmanaged network devices.

How ViciousTrap Works
Researchers at GreyNoise observed attackers using brute-force techniques and bypass exploits to gain access to ASUS routers. Once in, they exploit the CVE-2023-39780 vulnerability to execute arbitrary system-level commands, creating a backdoor that survives across reboots and patches.

Though ASUS released a firmware update on May 27, devices already compromised remain at risk unless they’re factory reset and SSH access is manually disabled.

Why This Matters for Security Architects
Attackers leveraging routers for persistent access reflect a growing trend in cyber operations: moving beyond user endpoints into network infrastructure to gain stealthy control and long-term access. These routers are then used for:

• Lateral movement inside the network
  
• Command-and-control relay points
  
• Credential harvesting
  
• DDoS and botnet deployment
  

These threats often evade legacy detection tools because edge devices typically aren’t integrated into centralized logging or endpoint detection systems—making them blind spots for traditional SOCs.

Threat Detection and Response Must Extend to the Edge
This incident underscores the importance of holistic threat detection and response capabilities that go beyond endpoints and SIEM alerts. It’s not enough to detect known malware on laptops or servers—security teams must be able to correlate anomalous behavior across all network layers, including routers and IoT devices.

Seceon’s platform is designed precisely for this type of visibility. By combining real-time behavioral analytics with automated threat correlation across users, endpoints, and infrastructure, Seceon enables organizations to:

• Detect unknown or advanced threats, including infrastructure hijacking
  
• Respond rapidly through automated playbooks and policy enforcement
  
• Gain unified visibility across managed and unmanaged assets
  

Recommended Actions for CISOs and IT Leaders
If your environment includes ASUS or other unmanaged routers, take the following steps immediately:

• Audit Devices: Inventory all routers to determine exposure to CVE-2023-39780.
  
• Apply Firmware Updates: Ensure firmware is current as of May 27 or later.
  
• Reset and Reconfigure: Factory reset any previously unpatched routers and manually reconfigure with secure settings.
  
• Disable Remote Access: Turn off SSH, remote admin, and UPnP where possible.
  
• Extend Threat Monitoring: Integrate router activity and unusual traffic patterns into your broader threat detection and response strategy.
  

Conclusion: Threats Don’t Stop at the Firewall
The ViciousTrap campaign is a timely warning that modern attackers are targeting devices far beyond your traditional security perimeter. Security teams must evolve—integrating not only endpoint and cloud monitoring but also full-spectrum threat detection and response that includes edge infrastructure.

Seceon’s AI-powered platform offers comprehensive visibility and automated response across your entire digital estate, including often-ignored edge devices like routers and IoT endpoints. Whether it’s behavioral anomalies, policy violations, or silent persistence, Seceon detects the threats others miss—and responds in real time.