ASUS Router Vulnerability Exploited by RondoDox Botnet After Six-Year Dormancy Cybersecurity firm VulnCheck has uncovered a campaign by the RondoDox botnet targeting outdated ASUS routers through a 2018 vulnerability (CVE-2018-5999), a critical unauthenticated configuration flaw with a CVSS score of 9.8. The vulnerability allows attackers to modify router settings including admin passwords without authentication, posing a severe security risk. The attacks were detected on May 17 via VulnCheck’s Canary Network, which identified the botnet exploiting the flaw to alter the `ateCommand_flag` setting, forcing the router’s `infosvr` interface to accept unauthorized changes. Despite the exploit code being publicly available since 2018, this marks its first known real-world abuse. Jacob Baines, VulnCheck’s CTO, noted that RondoDox is known for leveraging a high volume of exploits some analyses tracking over 170 associated CVEs and has been active since mid-2025. The botnet primarily targets Linux-based systems, similar to Mirai, but focuses on denial-of-service (DoS) attacks by overwhelming targets with traffic. The scale of the threat is significant: over 1 million ASUS routers remain online, many of which are end-of-life (EOL) devices no longer receiving security updates. VulnCheck’s 2026 State of Exploitation report found that 56% of attacked edge devices in 2025 were consumer routers, with 65% of botnet-exploited vulnerabilities affecting unsupported hardware. This campaign follows another recent RondoDox operation, where the botnet exploited a Next.js vulnerability (CVE-2025-55182, "React2Shell") to hijack smart cameras and web servers. The shift to older router vulnerabilities underscores a broader trend of cybercriminals targeting neglected, unpatched devices to expand their attack infrastructure.

Massive Magento Cyberattack Compromises 7,500+ E-Commerce Sites Since February 2026 A large-scale cyberattack campaign has compromised over 7,500 Magento-powered e-commerce websites since late February 2026, with attackers uploading malicious files to publicly accessible web directories across 15,000+ hostnames. The campaign, tracked by Netcraft researchers, marks one of the most extensive Magento-focused attacks in recent years, affecting businesses, government agencies, universities, and non-profits worldwide. ### Scope and Impact The attack exploited a file upload vulnerability in Magento environments, allowing threat actors to deposit unauthorized files without authentication. Victims include high-profile brands such as Toyota, Fiat, Citroën, Asus, Diesel, Fila, Bandai, FedEx, BenQ, Yamaha, and Lindt, as well as government and university domains in Latin America and Qatar. Several Trump Organization-affiliated sites including trumpstore.com, trumphotels.com, and booktrump.com were also compromised, though researchers confirmed these were incidental targets in an indiscriminate sweep. Most defacements occurred on subdomains, staging environments, or regional storefronts, with only a few live customer-facing sites briefly impacted before remediation. Attackers left behind text files displaying aliases L4663R666H05T, Simsimi, Brokenpipe, and Typical Idiot Security alongside "greetz" messages, a common practice in defacement circles. A subset of defacements on March 7, 2026, included geopolitical messaging, though analysts determined this was not the campaign’s primary motive. ### Technical Details The attack leveraged an unauthenticated file upload flaw in Magento, enabling attackers to write files directly to web servers without credentials. Netcraft researchers successfully replicated the behavior on a Magento Community 2.4.9-beta1 test instance, demonstrating that even updated installations could remain vulnerable under certain configurations. The affected platforms include Magento Open Source, Magento Enterprise, Adobe Commerce, and Adobe Commerce with the B2B module. While Adobe released security bulletins around this period, the observed exploit does not directly align with the published fixes. The campaign shares similarities with the SessionReaper Magento vulnerability from October 2025, which also involved unauthorized file access. ### Attacker Activity and Documentation The threat actor behind the campaign, operating under the handle "Typical Idiot Security," self-reported many compromised sites to Zone-H, a public defacement archive. This suggests the attacker sought recognition within the defacement community rather than pursuing financial or political objectives. As of the latest reports, new compromised sites were still emerging, indicating the campaign remained active. Organizations running Magento-based infrastructure were urged to review file upload endpoints, apply security updates, and monitor web directories for unauthorized changes.

ASUS Discontinues File Shredder Feature After Critical Vulnerability Discovery ASUS has removed the File Shredder feature from its Business Manager software following the identification of a critical security flaw, CVE-2025-13348. The vulnerability, disclosed in a security bulletin on February 2, 2026, affects ASUS Business Manager version 3.0.36.0 and earlier, posing significant exploitation risks. Instead of issuing a patch, ASUS opted for a complete removal of the feature, signaling the severity of the issue. Updated versions of the software no longer include File Shredder, eliminating the attack vector. Users are urged to upgrade to versions beyond 3.0.36.0 to mitigate exposure. The flaw underscores the broader threat landscape, as ASUS has released 89 security advisories in 2025 and early 2026 for products including routers, UEFI firmware, and MyASUS. The company, a CVE Numbering Authority (CNA) and FIRST member, adheres to ISO 29147:2018 and ISO 30111:2019 standards for vulnerability management. Organizations using ASUS Business Manager should verify the absence of File Shredder in their installations and assess logs for prior exploitation. Alternative secure data deletion tools may be necessary for those relying on the deprecated functionality.

ASRock Rack Hit by Everest Ransomware Gang, 509GB of Sensitive Data Allegedly Stolen ASRock Rack, the enterprise-focused server and cloud hardware division of ASRock, has been listed on the dark web leak site of the Everest ransomware gang. The threat actors claim to have exfiltrated a 509GB database containing confidential technical documentation, firmware, software, BIOS files, diagnostic tools, baseboard management controller (BMC) firmware, drivers, and utilities. Everest warned that unauthorized access to the stolen data could enable attackers to exploit vulnerabilities in hardware and software systems, potentially compromising devices at scale. The group also highlighted broader risks, including reputational damage, legal consequences, and the loss of intellectual property, which could strengthen competitors. Security experts, including Rapid7’s Christiaan Beek, noted that if the claims are accurate, the breach could have supply chain implications. Firmware and BIOS-related materials operate below the operating system, making vulnerabilities harder to detect and remediate. The incident raises concerns about follow-on attacks, such as malicious repackaging of drivers or firmware updates, and the possibility of state-aligned involvement given the strategic value of the target. Everest provided a data sample on its leak site, including screenshots of file trees with keywords like data centre and diag, aligning with their claims. The group has set a deadline of approximately nine days to publish the full dataset but has not disclosed a ransom demand. This breach follows Everest’s recent attack on an ASUS supplier, which the company confirmed involved the theft of camera source code for ASUS phones. While ASUS stated the incident did not affect its products or internal systems, Everest later expanded its claims, alleging the theft of a one-terabyte database containing data from ASUS, ArcSoft, and Qualcomm.

A new claim by the Everest ransomware group suggests that ASUS, one of the world’s largest hardware and electronics companies, has been compromised. According to a post on the group’s dark web leak site, they are in possession of more than 1TB of stolen data, which they say includes camera source code. In this case, “Camera Source Code” likely refers to proprietary firmware or software used in ASUS devices with built-in cameras, such as laptops or smartphones. This could include low-level control code for camera modules, internal drivers, or even entire applications tied to image processing or device integration. Everest Ransomware claiming ASUS breach (Image credit: Hackread.com) The group is demanding that ASUS contact them through Qtox, an encrypted messaging platform, and has given the company a 21-hour deadline to respond. No ransom amount has been made public, and there’s no clear indication yet of the specific contents or sensitivity of the alleged data. This claim adds to a series of recent announcements by Everest, which in the past two weeks alone have claimed responsibility for attacks on high-profile organisations, including Under Armour, Brazil’s Petrobras, and Spain’s Iberia airline. Those incidents involved user data, internal documentation, and what the group described as full network access. ASUS has not yet confirmed or denied the breach. Hackread.com has reached out to the company for comment and will update this story as more details become available.

ASUS disclosed a critical security vulnerability (CVE-2025-59373, CVSS 8.5) in its MyASUS application, specifically within the ASUS System Control Interface Service. This flaw allows local attackers with low-level access to escalate privileges to SYSTEM-level, granting full control over affected Windows devices. Exploitation requires no user interaction and has low attack complexity, posing severe risks in corporate environments where a single compromised endpoint could enable broader network intrusion.The vulnerability affects millions of ASUS devices globally, including desktops, laptops, NUCs, and All-in-One PCs. Attackers gaining SYSTEM privileges could execute arbitrary code, install malware, steal sensitive data, or modify system configurations. While ASUS has released patches (versions 3.1.48.0 for x64 and 4.2.48.0 for ARM), unpatched systems remain at high risk of privilege-escalation attacks, potentially leading to lateral movement across enterprise networks.Organizations are urged to prioritize patching and monitor for suspicious activity, as the flaw’s high severity and ease of exploitation make it a prime target for cybercriminals.

A security researcher discovered a major flaw in ASUS DriverHub, a tool that automatically downloads and installs the latest drivers for ASUS devices. The flaw allowed threat actors to execute malicious code on affected devices remotely. Although the vulnerability was limited to motherboards and did not affect laptops, desktop computers, or other endpoints, ASUS strongly recommended users to apply the patch. The vulnerability window had been open for an indeterminate period, but there were no reports of abuse in the wild.

Thousands of expired ASUS routers (models like 4G-AC55U, GT-AX11000, RT-AC1300UHP, etc.) were hijacked by Chinese state-sponsored actors into a botnet named 'Operation WrtHug', exploiting n-day vulnerabilities (CVE-2023-41345, CVE-2024-12912, etc.). The attackers deployed a self-signed 100-year TLS certificate to mask their espionage traffic, turning compromised routers into a globally distributed relay network for cyber-espionage. The majority of affected devices were in Taiwan and Southeast Asia, aligning with geopolitical targeting interests. The botnet enabled hidden C2 infrastructure, resilient attack staging, and intrusions against high-value targets, posing risks to national security, critical communications, and geopolitical stability. No direct financial or customer data breaches were reported, but the campaign facilitated large-scale covert surveillance and potential future attacks on strategic entities.

ASUS disclosed a critical authentication bypass vulnerability (CVE-2025-59367) in multiple DSL-series routers (DSL-AC51, DSL-N16, DSL-AC750), allowing unauthenticated remote attackers to bypass credentials and gain full administrative access. The flaw, rated as low-complexity, exposes unpatched devices connected to the internet to potential compromise. While no in-the-wild exploitation has been confirmed, ASUS urged immediate firmware updates (version 1.1.2.3_1010) to mitigate risks. Users unable to patch were advised to disable internet-facing services (WAN access, port forwarding, VPN, DMZ, etc.) and enforce strong passwords to prevent unauthorized access.The vulnerability poses a significant risk of routers being hijacked for botnet recruitment or DDoS campaigns, a trend highlighted by past incidents like the Vicious Trap group exploiting older ASUS flaws (CVE-2023-39780, CVE-2021-32030) to backdoor thousands of devices for the AyySSHush botnet. ASUS also patched a similar high-risk flaw (CVE-2025-2492) earlier this year, reinforcing the persistent targeting of consumer networking hardware by threat actors. Failure to patch could lead to large-scale device compromise, enabling attackers to pivot into broader network intrusions or disrupt services.

Everest Ransomware Group Claims Massive Data Breach at McDonald’s India The Everest ransomware group has alleged a major cyberattack on McDonald’s India, claiming to have exfiltrated 861 GB of sensitive data, including internal documents and customer personal information. The threat actors posted details of the breach on their dark web leak site on January 20, 2026, warning that the stolen data would be publicly released if McDonald’s fails to respond by a specified deadline. According to Everest, the compromised data includes a wide range of personal and corporate records, posing risks of identity theft and targeted phishing attacks. The group, a Russian-speaking operation active since December 2020, specializes in "pure extortion" stealing and selling data rather than solely encrypting files. Known for high-profile attacks, Everest’s recent victims include ASUS, Nissan Motor Corporation (900 GB stolen in January 2026), and Dublin Airport (1.5 million passenger records breached in October 2025). McDonald’s India, which operates through Connaught Plaza Restaurants (North/East India) and Hardcastle Restaurants (West/South India), has not yet confirmed the breach. The incident adds to the company’s history of cybersecurity challenges in the region, following previous data security issues in 2017 and 2024. The full scope and impact of the breach remain under investigation.

Hundreds of thousands of consumers of the Taiwan-based electronics giant ASUS received the malware through the company's dependable automatic software update programme after an attacker took over the company's server and used it to distribute it to devices.