The issue was identified as CVE-2025-2492; its CVSS score is 9.2 (critical). The vulnerability can be exploited remotely using a specially crafted request and doesn’t require authentication.
“An improper authentication control vulnerability exists in certain ASUS router firmware series. This vulnerability can be triggered by a crafted request, potentially leading to unauthorized execution of functions,” – ASUS.
AiCloud is a cloud remote access feature embedded into many ASUS routers and turning them into private cloud servers. AiCloud allows users to access files stored on USB drives connected to the router, play media remotely, sync files between the home network and other cloud services, and share files with others.
The security hole discovered in AiCloud affects a wide range of models, and ASUS has already released patches for several firmware branches, including 3.0.0.4_382, 3.0.0.4_386, 3.0.0.4_388, and 3.0.0.6_102.
Users are strongly recommended to update the firmware to the latest version available for their router model as soon as possible. Users of end-of-life devices are advised to: (1) disable AiCloud; and (2) disable any services that can be accessed from the Internet, such as remote access from WAN, port forwarding, DDNS, VPN server, DMZ, port triggering, and FTP.