Security expert Kyle Lovett, reported on the Bugtraq mailing list that critical security vulnerabilities exist in numerous ASUS routers and can be remotely exploited to take complete control of the router. The weak point is the AiCloud media server. Unauthorized users, if AiCloud is activated, can access critical system files over the internet – including files containing access credentials for the router in plain text format.

Attackers can use these credentials to access personal files stored on any devices connected to the router's USB ports. This also allows attackers to gain access to network shares on other computers connected to the router's network.

The following models are reported to be affected:

RT-AC66R
RT-AC66U
RT-N66R
RT-N66U
RT-AC56U
RT-N56R
RT-N56U
RT-N14U
RT-N16
RT-N16R

Users of affected devices should disable the AiCloud function via the menu option in its web interface, until Asus provides secure firmware versions. This ensures that the vulnerable server is no longer accessible by navigating to the router's IP address over HTTPS. Security expert Lovett is also advising users to disable UPnP services and any remote access options and to change the router password.

ASUS said that updates are available from the company's support page for the two router models RT-AC66U and RT-N66U. The company says that it will offer fixes for the other affected models "soon". In the meantime, ASUS recommends turning off all AiCloud functions like Cloud Disk, Smart Access and Smart Sync.