When a router manufacturer releases a security patch, it usually remains a topic for specialised IT portals. This time, however, the problem extends beyond the boundaries of the technical sector.
A new vulnerability in ASUS routers with the AiCloud feature enabled means that an ordinary home device, purchased at a retail store, can effectively become a gateway to any network behind it. This is a serious security issue, not just a technical problem.
AiCloud is an add-on that many ASUS routers offer as a "private cloud". The idea is simple: the user connects a USB drive to the router, enables AiCloud, and gains the ability to access their own files, watch video content, or share data from anywhere via the Internet.
This functionality relies on the standard Samba file sharing protocol (Samba is software that allows devices running different operating systems, such as Windows and Linux, to share files as if they were on the same network and using the same protocol), along with ASUS's own remote access code.
The problem arose precisely in this combination. In the NVD (National Vulnerability Database) of the American National Institute of Standards and Technology, the vulnerability CVE-2025-59366 is recorded as "authentication bypass", meaning it is possible to bypass the password check and run certain functions without the user's permission.
The NVD describes the cause as an "unwanted side effect" of the Samba functionality within AiCloud.
End-of-life ASUS devices also affected
The same note states that this vulnerability allows the execution of specific functions without authorisation. More detailed technical analyses published in expert sources indicate that the attack is based on a combination of two vulnerabilities in the way AiCloud processes requests.
The first allows an unauthorised user to access parts of system paths that should not be accessible (path traversal).
The second enables the insertion of a command into the router's operating system (OS command injection) within such a request.
It is difficult to compile a complete list of affected models, but it should be assumed that any router using AiCloud with one of these firmware versions is vulnerable
When these two vulnerabilities are combined, an attacker can construct an entirely ordinary network request that the router executes as if it were sent by an administrator – no password authentication, no warning, no user interaction of any kind. The vulnerability is therefore rated critical, with a CVSS score of 9.2 out of 10.
ASUS stated that the problem is present in firmware versions 3.0.0.4_386, 3.0.0.4_388, and 3.0.0.6_102 on routers with the AiCloud feature enabled.
TechRadar, a respected British technology portal owned by Future plc, and other sources that analysed the security announcement indicate that it is difficult to compile a complete list of affected models, but it should be assumed that any router using AiCloud with one of these firmware versions is vulnerable – including devices that are already formally "end-of-life" and no longer supported.
Critical AiCloud vulnerability puts all traffic at risk
BleepingComputer, an American portal specialising in cyber security, states, based on ASUS' announcement and independent analysis, that the company has released new firmware that simultaneously patches a total of nine security flaws, of which CVE-2025-59366 is the most dangerous.
The AiCloud vulnerability is notable because it allows an attacker, without any interaction from the victim and without knowing the password, to perform functions on the device over the Internet.
Other vulnerabilities in the same package generally carry medium or high severity but do not reach the critical level.
There is no doubt what this kind of failure means from the perspective of network security. Heise, a respected German IT media outlet, writes that the most dangerous vulnerability in the package is CVE-2025-59366 and that, in the case of a successful attack, the device is considered completely compromised.
Whoever controls the router can change DNS settings, redirect users to fake sites, and intercept or modify data in transit
The reasoning is simple: a router is a device through which all traffic to the outside passes. Whoever controls the router can change DNS settings, redirect users to fake sites, intercept or modify data in transit, or use the router as a jumping-off point to other devices on the local network.
This is not the first time that AiCloud has been associated with a critical vulnerability.
In April 2025, ASUS patched a similar issue, then registered as CVE-2025-2492. That vulnerability also allowed an attacker, using the AiCloud function, to perform unauthorised functions without valid authentication, with the same CVSS score of 9.2.
Part of a wider chain of attacks
In parallel, independent research has shown that ASUS routers have already been used in global cyber campaigns.
Reports describe how vulnerable routers, including models from this manufacturer, have been compromised and turned into part of the infrastructure for concealing attacks and espionage.
The point is clear: a vulnerability in a home router is not a local problem for a single user but a potential part of a wider chain of attacks that can include both government and corporate targets.
For devices that are no longer supported, the advice is to disable AiCloud and all services that allow direct access to the router from the Internet
In its official advisory, ASUS instructs users to install the latest firmware immediately, noting that "researchers have reported potential vulnerabilities" and that patches are available.
The company also recommends changing both the administrator password and the wireless network password.
For devices that are no longer supported, the advice is to disable AiCloud and all services that allow direct access to the router from the Internet, such as remote administrative access, port forwarding, FTP, or other publicly exposed services.
No mandatory update system
This is typically where most media coverage ends: reporting that a vulnerability exists, the manufacturer has issued a patch, and users should update their devices.
However, the real issue lies not between ASUS and the "forgetful" end user, but in how we treat home routers and the actual security risks involved.
No serious regulator today would permit a country's critical infrastructure to depend on software that is updated manually, on a voluntary basis, assuming users will remember to check for new firmware versions.
When this model is applied to the hundreds of thousands of routers used in homes for telecommuting, corporate network access, and public service communications, it becomes clear that much of our critical infrastructure relies on devices still regarded as ordinary consumer goods.
The actual number of unprotected routers will be significant, as we continue to rely on end-user habits rather than automated update mechanisms
There is no mandatory update system or control over security settings for these devices, making them the most vulnerable point in modern networks.
This case also clearly illustrates the gap between formal and actual risk. Formally, the manufacturer has fulfilled its obligations: the reported vulnerability was entered into the international CVE (Common Vulnerabilities and Exposures) database, a description was published in the NVD, the firmware was updated, a press release was issued, and expert portals reported the news.
By all administrative measures, the problem is "solved".
However, CheckPoint, an Israeli company specialising in cyber security and renowned for its firewall systems, network protection, and regular threat reports, states in its latest monthly threat report that this vulnerability can be exploited without any user interaction and with minimal attack complexity, making it highly attractive for automated Internet scanning and mass attacks.
It follows that the actual number of unprotected routers will be significant, as we continue to rely on end-user habits rather than automated update mechanisms.
A serious gap in network security
Another aspect of the story concerns responsibility and regulation. The European directive NIS2 formally recognises network and information security in key sectors and imposes obligations on operators of essential services, including telecommunications companies.
In practice, most routers used by households and small businesses are purchased directly from shops and do not undergo the security checks that mobile and fixed operators apply to their equipment.
As a result, a large number of devices that serve as entry points to networks operate entirely outside the system of monitoring and updating.
This creates a serious gap: even when the security of data centres, central network nodes, and cloud services is improved, the home router remains an unprotected part of the chain, which is the easiest way for an attacker to access any network.
Such features should be disabled by default and enabled only if the user clearly understands what they are enabling and the risks involved
A particular problem lies in the very nature of features such as AiCloud. These were introduced to make the router a more attractive product, as they allow users to access their files or other content via the Internet as if they were using a personal server.
However, every time a home router is turned into a mini-server, its software becomes more complex, the number of components that must interact increases, and the potential for new vulnerabilities grows.
From a security perspective, such features should be disabled by default and enabled only if the user clearly understands what they are enabling and the risks involved.
Most users do not know what AiCloud actually does, nor that enabling this option exposes their router to the Internet in a way that requires a much stricter level of protection than most routers provide.
Networks depend on the least protected devices
Looking beyond the standard advice to update software, it becomes clear that the issue of home routers is actually a matter of public safety.
States developing cyber defence capabilities must decide whether to treat these devices as part of the infrastructure through which sensitive data passes every day.
The security of entire networks depends on the devices that are least protected, least frequently updated, and most often neglected
If the current approach is maintained, where users are responsible for upgrades and settings themselves, the same types of vulnerabilities will recur, and many routers will remain permanently unprotected.
Such devices will be easy targets for both criminal groups and organised actors seeking stable and inconspicuous access points.
The alternative approach requires clear rules for manufacturers: automatic updates, mandatory security warnings, and default settings that limit the router's accessibility to the Internet until the user explicitly decides otherwise.
When the story is brought down to the level of the average user, the message is simple.
If you have an ASUS router with AiCloud, this is not about abstract "system vulnerability", but about the real possibility that someone, without your knowledge, could take control of the device through which all your network traffic passes.
A patch exists and should be installed. If the manufacturer no longer provides support, AiCloud should be turned off or the router replaced.
This is a warning that should not be limited to the technical details of a single vulnerability. It is a structural problem: the security of entire networks depends on the devices that are least protected, least frequently updated, and most often neglected.
Until that gap is addressed, even the most advanced security strategies will remain vulnerable at the simplest entry point.
