Critical Flaw in ASUS DSL Routers Allows Authentication Bypass Without Credentials

ASUS has released new firmware addressing a critical authentication-bypass vulnerability affecting several DSL-series home routers. Catalogued as CVE-2025-59367, the flaw allows a remote attacker to access the device without any credentials whatsoever. The attack requires no user interaction and no advanced techniques — only that the router be reachable from the internet.

At least three models are affected: the DSL-AC51, DSL-N16 and DSL-AC750. ASUS has issued firmware version 1.1.2.3_1010 for these devices, fully eliminating the authentication bypass. The company stresses that owners must install the update as soon as possible via the support site or the specific product page.

Although only three models were explicitly listed, ASUS has also published guidance for users who cannot yet update or whose devices have reached end-of-support. If a firmware patch is unavailable, users are urged to temporarily disable any services that expose the router to the outside world. This includes WAN-side remote administration, port forwarding, DDNS, the built-in VPN server, DMZ, port triggering and FTP access.

ASUS further recommends strengthening overall security: using robust passwords for the admin panel and Wi-Fi networks, checking regularly for new firmware releases, and avoiding the reuse of login credentials across different devices and services. Such measures reduce the likelihood of compromise even before a patch is installed.

No real-world attacks on CVE-2025-59367 have yet been reported, but security vendors caution that router vulnerabilities are routinely weaponised to assemble botnets. Compromised devices are linked into a distributed network and leveraged for DDoS attacks. In June, for instance, CISA added two older flaws in the ASUS RT-AX55 and ASUS GT-AC2900 to its catalogue of exploited vulnerabilities. At the time, researchers from GreyNoise and Sekoia reported that a well-resourced threat group known as Vicious Trap had used those vulnerabilities to implant backdoors on thousands of routers, building a new botnet dubbed AyySSHush.

Earlier this spring, ASUS patched another critical authentication-bypass flaw — CVE-2025-2492 — which affected a broad range of devices with AiCloud enabled. The new update extends that series of fixes and once again underscores how enticing home routers remain as attack targets when users delay applying updates.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy