ASUS has revealed a severe security flaw affecting several of its routers that have AiCloud enabled. The vulnerability, tracked as CVE-2025-2492, holds a CVSS score of 9.2 out of 10, indicating a critical threat level.
According to ASUS, the issue stems from improper authentication controls in certain router firmware versions. A crafted request could trigger this flaw, potentially allowing attackers to remotely execute unauthorized functions on vulnerable devices.
Firmware Updates and Recommendations
The flaw has been addressed in updated firmware releases for the following versions:
- 3.0.0.4_382
- 3.0.0.4_386
- 3.0.0.4_388
- 3.0.0.6_102
ASUS urges users to upgrade to the latest firmware as soon as possible. In its advisory, the company emphasized using unique, complex passwords for both wireless networks and router admin pages. Passwords should be at least 10 characters long, containing a mix of uppercase letters, numbers, and symbols.
Additional password hygiene tips include:
- Avoid reusing passwords across devices or services.
- Do not use predictable sequences like 1234567890, abcdefg, or qwertyuiop.
For routers that cannot be updated or are end-of-life, ASUS recommends enhancing password strength immediately. Another option is to disable AiCloud and any internet-accessible services, including:
- Remote access from WAN
- Port forwarding and port triggering
- VPN server
- DMZ
- FTP
- Dynamic DNS (DDNS)
Applying these security measures can help reduce the risk of exploitation until a permanent fix is in place.
