- Asus patch a safety defect with rating of 9.2 in certain routers
- The defect comes from Aicloud, a personal server function in the cloud
- There is still no evidence of abuse, but users must be cautious
ASUS has launched a solution for a critical severity vulnerability that affects the routes with Aicloud qualified that could allow threat actors to execute functions in the devices exposed remotely and without authorization.
They are traced as CVE-2025-2492, and it was given a gravity score of 9.2/10 (critic). It can be exploited through a personalized tail application.
“This vulnerability can be activated through an elaborate application, which potentially leads to the unauthorized execution of functions,” says the NVD page.
Safeguard the device
Aicloud is an integrated feature in many ASUS routors that transforms the domestic network into a personal cloud server.
Users can access, transmit, synchronize and share files stored in USB units connected to the router from anywhere with an Internet connection.
The defect was found in the firmware versions launched after February 2025, which means: 3.0.0.4_382, 3.0.0.4_386, 3.0.0.4_388 and 3.0.0.6_102.
According to Cyberinsider, such characteristics “often become attractive objectives” for threat actors, since they are exposing confidential data to the Internet.
Therefore, it would be prudent not to delay the implementation of the patch. Depending on the model, there are different firmware versions that can be downloaded directly from the ASUS website.
The defect also affects some devices that reached the end of life, which should now have completely disabled Aicloud. Internet access for WAN should also be disabled, as well as port resentment, DDNS, VPN Server, DMZ, Activation of Ports and FTP services.
The company did not say if the fault is being abused in nature or not, but at the time of publication, it was not added to the Kev of CISA, which is generally a good line of fire for actively exploited failures.
According BleepingcomputerCVSS's critical qualification “implies that exploitation could have a significant impact.” Asus also told their users to use unique and safe passwords to ensure their wireless networks and routine management pages.
That means making passwords of at least 10 characters and making them a mixture of letters, numbers and special symbols in lowercase and capital letters.
