Many view home routers and other IoT devices as just another appliance. What they do not realize is that these devices can not only be a security risk, but they are a window into your personal world. When targeted, they can provide attackers with information about you and then become a component in the growing “cybercrime as a service” business model.

Most home users purchase various IoT products, configure them and never touch them again. Even if security updates are released, they are rarely applied. This has given attackers access to a huge attack surface, and many experts have been warning about it for years. Let’s face it, home users are not capable system administrators let alone security specialists. Now this equipment has become the low hanging fruit that has led to the creation of a large infrastructure as a service botnet with malicious intent.

Recently, the U.S. Justice Department participated in a court-authorized law enforcement operation to disrupt Command and Control (C2) infrastructure used by the Aisuru, KimWolf, JackSkid and Mossad Internet of Things (IoT) botnets. These four botnets targeted in the operation have infected millions of devices worldwide. All these devices used by these organizations are IoT devices such as WiFi routers, digital video recorders and even web cameras. As of March 2026, the number of infected devices hijacked worldwide by the botnet administrators exceeded three million, with hundreds of thousands of infected devices located in the United States alone.

Attack Chain

Here is a sample attack chain that targets Linksys routers with a variant of TheMoon, which has been circulating since 2014 — targets routers that have remote administration enabled. Here’s how the attack chain:

1. Scanning: Attackers (or security services) scan the internet for EOL routers with exposed remote management interfaces.

2. Exploitation: They exploit known, unpatched vulnerabilities to gain root access to the device.

3. Malware installation: TheMoon malware is uploaded directly onto the router’s operating system.

4. Command & control: The infected router checks in with a command-and-control server as frequently as every 60 seconds.

5. Proxy conversion: The router is converted into a proxy server, and access is sold to other criminals through services like 5Socks and Anyproxy (both of which have since been seized by law enforcement).

ASUS

Recent reports indicate that ASUS routers have been targeted by multiple high-severity,, or “critical,” vulnerabilities and active, persistent, botnet campaigns, particularly in 2025 and 2026. These campaigns often target ASUS routers exposed to the internet, creating persistent backdoors that can survive factory resets and firmware updates. All of these vulnerabilities are currently unpatched:

• KadNap / ViciousTrap (2025-2026): A sophisticated botnet, active since August 2025, has infected over 14,000 edge devices, primarily ASUS routers. It installs a persistent SSH backdoor, converts routers into proxies, and can bypass traditional detection.

• AyySSHush (2025): This campaign compromises routers to create persistent SSH backdoors stored in non-volatile memory (NVRAM), allowing it to survive reboots and firmware updates.

• CVE-2024-3912 (2024): A remote code execution (RCE) flaw (CVSS 9.8) that allows unauthenticated attackers to upload arbitrary firmware and execute system commands.

• CVE-2024-3080 (2024): An improper authentication vulnerability (CVSS 9.8) that lets remote attackers bypass authentication to gain full control of the device.

• CVE-2023-39780 (2023-2025): A high-severity command injection flaw (CVSS 8.8) used to execute system commands, often abused by the ViciousTrap campaign.

• CVE-2025-2492 (2025): A critical authentication bypass flaw (CVSS 9.2) in the AiCloud service that allows unauthorized execution of functions.

Linksys

Recently the FBI named 13 specific Linksys models (many originally sold under the Cisco brand) as being actively targeted: Linksys E1200, Linksys E2500, Linksys E1000, Linksys E4200, Linksys E1500, Linksys E300, Linksys E3200, Linksys WRT320N, Linksys E1550, Linksys WRT610N, Linksys E100, Linksys M10, Linksys WRT310N.

Here is a list of some key threats to Linksys devices:

• End-of-Life (EOL) Vulnerabilities: Older Linksys routers, particularly those made before 2010, no longer receive security patches, making them extremely easy targets for hackers. The consumer WiFi router market has a high product turnover, and end of life happens quickly. End of life routers receive no updates and have many security issues that never get patched. This has led to an even larger attack surface.

• TheMoon Malware (CVE-2025-34037): This is a critical OS command injection vulnerability in various Linksys E-Series routers. It is actively exploited by TheMoon to deploy payloads. This vulnerability was noticed as early as 2014 on some models. It remains unpatched on older routers.

• Remote Administration Risks (CVE-2014-8244): This serious vulnerability has allowed unauthenticated attackers to query routers and expose sensitive data, including MAC addresses, device names, and network settings. It also allows for device takeover and the stealing of data that passed through the router. It was never fully patched by Linksys.

• Default Credential Vulnerability: Many exposed Linksys routers still use default passwords, allowing hackers to log in and create backdoors.

Belkin

Linksys is now owned by Belkin, so it seems logical to look at Belkin next. Belkin routers have faced several security vulnerabilities over the last decade, with major issues involving remote code execution, authentication bypass, and insecure integrations. The key threats include:

• Belkin Wemo Plugin (CVE-2023-27217): There are multiple issues related to UPnP and remote code execution that impact the security of smart home devices, according to Security Advisories. Belin has stated that it has no plans to patch these serious vulnerabilities.

• CallStranger vulnerability (CVE-2020-12695): This is a security flaw in the Universal Plug and Play (UPnP) protocol, which affects billions of devices, including various Belkin networking products and Wemo smart home consumer devices. It allows attackers to exploit the UPnP SUBSCRIBE capability, potentially leading to data exfiltration and distributed denial-of-service (DDoS) attacks. Belkin never fully resolved this vulnerability.

• N600/N900 series: These Belkin devices had serious security design flaws that allowed attackers to easily perform man-in-the-middle attacks and forge cross-site requests. Remote attackers were able to spoof DNS responses to cause vulnerable devices to contact attacker-controlled hosts and LAN-based attackers can bypass authentication to take complete control of vulnerable devices. No security fixes were released by Belkin for these devices.

• Legacy Belkin devices have many more vulnerabilities that will remain unpatched and vulnerable if still in use.

Netgear

Netgear routers have several critical security issues, including unauthenticated remote code execution, authentication bypasses, and command injection vulnerabilities. These flaws frequently allow attackers to take over devices, steal data, or install malware, particularly on older or unpatched models. Immediate firmware updates are strongly recommended. Here are some key Security Issues & Vulnerabilities:

• Remote Code Execution (RCE) & Takeover: Multiple vulnerabilities, such as PSV-2023-0039 and PSV-2016-0261, have allowed attackers to bypass authentication and remotely execute commands on various models, including Nighthawk and gaming routers (XR1000, R6220).

• Command Injection (DHCPv6): A January 2026 advisory revealed that Orbi devices had a flaw allowing attackers on the network to perform OS command injections via the DHCPv6 functionality.

• Active Exploitation & Malware: Some Netgear routers have been targeted by the Glupteba malware which exploits older, unpatched vulnerabilities.

• Unsafe Remote Management: Certain older Netgear models possessed vulnerabilities in their remote management interface, allowing attackers to hijack administrative access using scripts.

• End-of-Life (EoL) Vulnerabilities: Many older, unsupported Netgear models continue to run with unpatched security flaws, making them prime targets for botnets.

TP-Link

TP-Link routers have been under investigation by U.S. officials due to national security concerns regarding potential exploitation by Chinese state-sponsored hackers. Some key issues include vulnerabilities leading to botnet recruitment (e.g., CovertNetwork-1658, Quad 7), malware implants and a rising concern about data sharing with the Chinese government.

• State-Sponsored Hacking: Reports from Microsoft and other security researchers have linked compromised TP-Link devices to Chinese intelligence-linked activity, specifically targeting government officials in Europe and critical infrastructure. Many vulnerabilities that remain unpatched allowed an improper authentication bypass that allows remote attackers to execute code or gain full control in routers with remote management enabled. Some are CVE-2025-53711/53712, CVE-2025-9377, CVE-2023-50224, CVE-2025-6541, CVE-2025-6542, CVE-2025-7850, CVE-2025-7851, and CVE-2026-3227.

• Botnets and Malware: Attackers have utilized security vulnerabilities to turn routers into botnets for password-spraying attacks against cloud services, including Microsoft Azure.

• Firmware Implants: Specific attacks, such as the “Camaro Dragon” campaign, involved customized malware that infects TP-Link firmware to gain long-term control. Once hacked there are many. CVE-2025-6542 and CVE-2025-6541 allow remote hackers the ability to execute arbitrary OS commands on the underlying router system.

• Data Sharing Risks: Due to Chinese intelligence laws, there are fears that TP-Link could be compelled to create backdoors or share user data with the Chinese government.

TP-Link has not been actively patching serious vulnerabilities and appliances in the wild have been compromised and used in botnets for quite some time. This led to direct action by the US Federal Government.

Overaction

Some are claiming that an outright ban of Chinese made consumer routers is heavy handed. They continue to say that since there is no real replacement for these routers and there are possibly millions in the wild, thus making an import ban useless.

On the contrary, this ban has been a long time coming. All the vendors mentioned are notorious for not patching serious vulnerabilities (as illustrated above in great detail) and not designing products to be secure in today’s world.

But to place blame evenly, home based or consumer users simply do not patch their devices and cannot administer their home networks with industry best practices in mind because they do not have the knowledge to do so. Anyone that thinks they know networking and security best practices because they set up their Belkin home network does not understand anything about the security implications of what they just did.

All these security vulnerabilities have compounded and now this is a security concern on the national level. These concerns are for not only for the Federal Government, but every business and individual in the United States.

Business Implications

The first implication for businesses is that unfortunately there are many businesses that shop for networking gear at the local consumer goods store. These are businesses that prioritize budget over security. They also do not have a service provider looking out for them. And they think because they purchased it at their local big box store it is a quality product. These products come in nice packaging and even offer guarantees that really end up being worthless.

The second implication is work from home users. Many businesses allow their employees to work from home, and many use consumer grade routers that have been purchased at big box stores. This issue has now become front and center for enterprise security.

It is important to note that remote work has always been a security concern. Some enterprises have dealt with it to some degree and others have turned a blind eye to the risks saying we have antivirus and a firewall at the office and that is enough.

Unfortunately, it is not enough. It is time to bring security to the computer where the computer is rather than just when it is at the office behind the firewall.

Conclusion

It is highly recommended that businesses of all sizes review their security posture.

For businesses using big box consumer grade equipment, this equipment must be updated or replaced immediately. If this is not something that the business can do on its own, they should reach out to a Managed Service Provider to assist with this and provide a security assessment.

For businesses with work from home or a hybrid workforce, the firewall must be extended to protect the computers that are outside of the office. This will help to protect the company systems and data that is being accessed by the remote workforce. Luckily there are solutions for this that are readily available. They are called secure edge or firewall as a service (FaaS) solutions. These can extend a similar level of protection that the firewall provides to employees inside the office and even protect computers in hostile or insecure environments. They can also eliminate the need for VPNs, which is a bonus because VPNs are a security risk and management headache for security teams.

A business case is now present to ensure that proper security is in place to ensure secure work environments for employees no matter where they are working from.