Your Router Just Failed: ASUS & TP-Link Critical Vulnerabilities (CVE-2025-59367)
Want to learn ethical hacking? I built a complete course. Have a look!
Learn penetration testing, web exploitation, network security, and the hacker mindset:
→ Master ethical hacking hands-on
(The link supports me directly as your instructor!)
Hacking is not a hobby but a way of life!
Your router protects your home network from the internet. Or it’s supposed to. Two major vendors just proved it doesn’t. 😅
ASUS: CVE-2025-59367 (CVSS 9.3) TP-Link: CVE-2025-7850 + CVE-2025-7851 (CVSS 9.3 + 8.7)
Both disclosed November 2025. Both critical. Both letting attackers walk right in.
ASUS routers: No password required.
The vulnerability affects ASUS DSL-AC51, DSL-N16, and DSL-AC750 routers. Authentication bypass.
If your router’s management interface is exposed to the internet, an attacker can connect remotely without any credentials. No username. No password. Direct admin access.
Many routers have remote management enabled by default. Some ISPs enable it for “support purposes.” Either way, if the admin panel is reachable from outside your network, CVE-2025-59367 makes it completely open.
What can attackers do with admin access? Change your WiFi password and lock you out. Redirect your traffic through their servers. Monitor every device on your network. Use your router to attack other people, making it look like the attacks come from you.
TP-Link: They “fixed” it. Then researchers rooted it again.
Last year, CVE-2024-21827 let attackers get root access through leftover debug code in TP-Link routers. TP-Link patched it in 2024.
Except the debug code is still there. They just made it harder to reach.
Forescout researchers found CVE-2025-7850 and CVE-2025-7851. The patch addressed the original bug but left two problems: the debug functionality stayed in the firmware, just hidden behind a private key check. And if attackers can bypass that check, the entire debug system becomes available again.
The researchers did exactly that. They found CVE-2025-7850, a command injection flaw in the WireGuard VPN settings. An authenticated admin can inject operating system commands that execute with root privileges.
But here’s where it gets worse: their protocol analysis showed CVE-2025-7850 can be exploited without credentials in certain network configurations. What looked like a local-only bug turned into a remote attack vector.
Using root access from these two bugs, they found 15 more vulnerabilities across other TP-Link device families. All under coordinated disclosure. All expected to be patched Q1 2026.
The pattern? TP-Link patches individual bugs but doesn’t fix the underlying code problems. The vulnerabilities keep coming back in different forms.
Botnets already target these routers.
In May 2025, AyySSHush botnet compromised over 9,000 ASUS routers. It installed persistent SSH backdoors that survive reboots.
Quad7 botnet specifically targets TP-Link routers. It chains vulnerabilities to infect devices, then uses thousands of compromised home routers to launch password spray attacks against Microsoft 365 accounts.
The attacks work because they come from residential IP addresses spread across multiple countries. To Microsoft’s systems, it looks like normal login attempts. But it’s coordinated, using your router as part of the attack infrastructure.
How Authentication Bypass Works
Normal login process: You enter username and password. Router checks credentials. If correct, you get access. Simple.
CVE-2025-59367 breaks that chain. The router skips the credential check completely.
Here’s what happens technically: The web interface has an endpoint (usually something like /admin or /cgi-bin/login) that handles authentication. The vulnerable ASUS routers have a flaw where certain requests bypass the authentication logic entirely.
An attacker sends a specially crafted HTTP request. The router processes it without checking credentials. Boom. Admin panel access.
This has nothing to do with weak passwords or brute force attacks. The authentication system just doesn’t run at all for these specific requests.
Even if you set a 50-character password, it doesn’t help. The router never asks for it.
That’s authentication bypass. The door’s not locked. It’s not even closed.
Check if you’re affected.
ASUS DSL router owners: If you have DSL-AC51, DSL-N16, or DSL-AC750, update to firmware 1.1.2.3_1010 immediately.
TP-Link router owners: Affected models include ER605v2, and multiple Omada/Festa VPN router families. Check TP-Link’s security advisory for your specific model and apply the latest firmware.
ISP-provided routers: Many ISPs rebrand consumer routers. Dutch ISP Ziggo rebranded the TP-Link Archer C7 as “Wifibooster Ziggo C7.” Check what hardware you actually have in your own country…
For routers that won’t get patches: Use strong, unique passwords for both WiFi and router admin (20+ characters minimum). Disable remote access from WAN. Turn off port forwarding, DDNS, VPN server, DMZ, and FTP unless you specifically need them. Or replace the router with a currently supported model.
Step-by-Step: Secure Your Router
First, check if remote management is enabled.
Log into your router admin panel (usually 192.168.1.1 or 192.168.0.1). Look for “Remote Management”, “Remote Access”, or “WAN Access” in the settings. Different brands use different names, but it’s usually under Administration or Security.
If it says “Enabled”? Turn it off. Right now. You don’t need it unless you’re managing your home network from another country.
Next, disable unused services. Port forwarding, UPnP, DMZ, FTP server, Telnet, SSH from WAN. If you don’t know what it does, you probably don’t need it enabled.
Change default credentials. Even if the vulnerability doesn’t need your password, other attacks do. Use 20+ characters. Mix letters, numbers, symbols. Don’t use “Admin123” or your WiFi network name.
Update firmware immediately. ASUS released 1.1.2.3_1010 for affected models. TP-Link has patches for their vulnerable devices. Check your manufacturer’s support page for your specific model.
Can’t update? Time to replace the router. Seriously. A vulnerable router exposes everything behind it. Your laptop, phone, smart TV, security cameras. Everything.
Verify Your Protection
Want to check if your router management interface is exposed to the internet?
I built a tool called Shodan Eye that searches for internet-connected devices. Routers, webcams, servers, IoT devices.
Check it out: https://github.com/BullsEye0/shodan-eye
Search for your public IP address or router model. If your admin panel shows up, it’s exposed.
Or test it yourself. Disconnect from your home WiFi. Use your phone’s mobile data (4G/5G, not WiFi). Try accessing your router’s admin panel using your public IP address. If you can reach the login page from outside your network, remote management is enabled.
Check firmware version. Log into your router, look for “Firmware Version” or “System Information”. Compare it against the manufacturer’s latest release. Behind by more than 6 months? Update it.
Run a port scan from outside your network. Tools like nmap can show what’s exposed. Open ports 80, 443, 8080, 23, 22 from WAN? Those shouldn’t be there unless you specifically need them.
If you’re not sure, assume you’re vulnerable. It’s safer to over-secure than under-secure.
Your router is the front door to your entire network. Check the locks.
Want to understand how these attacks actually work?
I teach WiFi hacking and network security in my ethical hacking course. It covers wireless attacks and WiFi security. And covers advanced network attacks including router exploitation techniques.
You’ll learn how authentication bypasses work, how attackers chain vulnerabilities, and how to secure network devices before they get compromised.
→ Join my complete ethical hacking course
Your router sits at the edge of your network. When it’s compromised, everything behind it becomes accessible.