We are seeing reports of a new botnet malware called KadNap affecting ASUS routers as of 2026-03-10. The malware exploits the firmware in ASUS RT-AX88U and RT-AX86U models, turning them into malicious traffic proxies.
Evidence
According to Bill Toulas, the vulnerability has a CVSS score of 9.5, indicating high severity. Initially, the botnet was discovered by security researchers who identified an unauthorized code injection in the router firmware that allows remote control. Subsequently, independent confirmations from CISA highlighted the same exploitation vector and its impact on network traffic.
Who Should Be Concerned
Most importantly, CIOs, CISOs, and system administrators in mid-market and enterprise organizations must be concerned. In particular, companies with widespread ASUS routers in their edge networks are at risk of data leakage and operational disruptions. Therefore, regulatory compliance with GDPR, HIPAA, and SEC mandates timely remediation.
Historical Context
Notably, similar past vulnerabilities such as the MikroTik router exploit have shown how edge devices can become gateways for cybercrime. Similarly, the evolution of threat actors has moved from targeted attacks to widespread botnet deployments. As a result, the current KadNap attack pattern is unprecedented in scale.
Detailed Impact Analysis
Currently, approximately 5,000 ASUS routers worldwide are vulnerable to this botnet. Once exploited, attackers can redirect malicious traffic through these devices, compromising data integrity and causing service outages. Meanwhile, threat actors identified as unknown cybercriminal groups have already deployed the botnet across multiple regions. Consequently, based on the reported evidence, the risk is significant.
Immediate Actions Required
Immediately, patch the firmware for ASUS RT-AX88U to version 2.0.1 and update the RT-AX86U to 2.0.2. Specifically, apply the official firmware updates from Asus by downloading the latest security patches. Next, verify that all routers have updated firmware by running a system audit within 24 hours. However, if immediate patching is not feasible, temporarily block port 80 and disable remote management features for 72 hours to mitigate traffic hijacking.
Additionally, after applying the patch, monitor network logs for anomalous traffic patterns and employ intrusion detection systems (IDS) to detect any residual botnet activity within 7 days. After completing these steps, ensure compliance with security guidelines from CISA.
Vendor Advisories
Asus publishes a firmware update advisory on their website. CISA provides an alert for KadNap on the official website.
