Industrial routers occupy a position in OT network architecture that makes their security posture particularly consequential. They sit at the edge of production environments, connecting field devices, remote sites, and industrial control systems to upstream networks. When they are compromised, the attackerβs foothold is not just inside the corporate network β it is adjacent to or inside the OT network, with visibility into control system traffic and in some configurations the ability to interact with production equipment.
Two active botnet campaigns in May 2026 are targeting exactly this category of device: the Four-Faith F3x36 Industrial Cellular Router and ASUS AsusWRT-based routers. Both vulnerabilities carry high CVSS scores, both are being actively exploited, and both have been documented in OT and industrial deployment contexts.
Four-Faith F3x36: CVE-2024-9643
The Four-Faith F3x36 is an industrial cellular router designed for deployment in harsh environments β manufacturing floors, utility substations, transportation infrastructure, and remote field sites. It provides 4G/LTE connectivity for equipment that would otherwise require dedicated WAN links, and it is widely used in industrial deployments across Asia, the Middle East, and increasingly in North American and European infrastructure.
CVE-2024-9643 carries a CVSS score of 9.8 and allows full administrative control over affected devices without authentication. Exploitation does not require valid credentials, prior access, or user interaction. An attacker who can reach the deviceβs web management interface β which in many deployments is accessible from the internet to facilitate remote management β can take complete control of the router.
Active exploitation of this vulnerability by botnets was documented starting May 12, 2026. The exploitation pattern being observed is consistent with botnet recruitment: compromised devices are being enrolled in command-and-control infrastructure, their connectivity is being used for additional attack activity, and in some cases the routers are being used as proxies to obscure the true origin of attacks against other targets.
The OT implication is specific and serious. A compromised Four-Faith F3x36 in an industrial deployment sits between field devices β PLCs, SCADA remote terminal units, sensors β and the upstream network. Traffic flowing between those field devices and control systems passes through the router. An attacker who controls the router can observe that traffic, and depending on how the industrial protocols are implemented, may be able to inject or modify commands.
In environments where the router connects directly to equipment running Modbus, DNP3, EtherNet/IP, or similar industrial protocols, the router compromise is not merely a network access problem. It is a potential control plane problem.
ASUS AsusWRT: CVE-2018-5999 Re-Weaponized by RondoDox
CVE-2018-5999 is a vulnerability from 2018 affecting ASUS routers running the AsusWRT firmware. It enables unauthenticated remote code execution via crafted POST requests against the web management interface. The vulnerability has been known for eight years.
On May 17, 2026, the RondoDox botnet began actively exploiting CVE-2018-5999 against publicly exposed ASUS routers. The re-weaponization of an eight-year-old vulnerability is not surprising β it reflects a consistent pattern in botnet operations where old vulnerabilities with large numbers of unpatched devices in the wild are more valuable than newly disclosed vulnerabilities that have been widely patched.
ASUS AsusWRT routers appear in office environments, branch offices, and remote work infrastructure. They are not industrial routers in the same sense as the Four-Faith device, but they are present in environments that connect to OT systems. Branch offices in manufacturing companies, remote sites at utilities, and small industrial operations frequently use commercial-grade SOHO routers for their connectivity β including ASUS models.
The RondoDox botnetβs exploitation of this vulnerability creates a persistent presence on affected routers that survives reboots. Once enrolled in the botnet, compromised devices participate in DDoS attacks, proxy adversarial traffic, and in some campaigns are used as pivot points for deeper network penetration.
Why Old Vulnerabilities Keep Getting Exploited
The re-weaponization of CVE-2018-5999 in 2026 β eight years after its disclosure β illustrates a fundamental problem in connected device security: patching rates for routers, especially at the SOHO and small commercial level, are far below what the threat landscape requires.
Several factors contribute to this:
Automatic update reluctance. Many network operators β including enterprise IT teams managing branch infrastructure β are reluctant to enable automatic firmware updates on network devices because updates occasionally introduce configuration changes or service disruptions. The result is that devices accumulate unpatched vulnerabilities over years.
Long device lifecycles. Commercial routers are frequently treated as long-lived infrastructure assets. A device purchased in 2018 running firmware from that era may still be in production today, running software that the vendor has long since stopped supporting.
Visibility gaps. Network infrastructure devices are often underrepresented in vulnerability management programs. Endpoint vulnerability scanners focus on servers and workstations; routers and network appliances may not be included in regular scan scopes. This means vulnerabilities like CVE-2018-5999 go undetected in asset inventory until exploitation begins.
Vendor support windows. For older devices, vendors may have already ended security support. Devices that have reached end-of-life do not receive patches even when critical vulnerabilities are discovered, leaving organizations with a choice between running vulnerable hardware and replacing it.
The Botnet Infrastructure Problem
Both exploitation campaigns in May 2026 are building botnet infrastructure β networks of compromised devices used for subsequent attacks. This matters beyond the immediate compromise of the affected organizations.
Botnets built from industrial and commercial routers provide attackers with geographically distributed, high-bandwidth infrastructure that is difficult to block. When attacks originate from thousands of compromised routers spread across legitimate business networks, IP-based blocking is ineffective and attribution is obscured.
More specifically for OT environments: botnet nodes that are physically located inside industrial or commercial facilities provide attackers with attack traffic that originates from trusted network locations. Traffic coming from an internal IP address β a compromised router inside an OT network β is treated differently by many security controls than traffic coming from external IP space.
The use of compromised industrial routers as botnet nodes also creates a reconnaissance opportunity. Traffic flowing through the router is visible to the attacker. In OT environments where control traffic flows through the compromised device, the attacker gains passive visibility into operational data, device communications, and network topology.
Assessing Exposure
Organizations with OT environments or industrial connectivity should assess their exposure across several dimensions:
Four-Faith F3x36 inventory. If your organization uses Four-Faith industrial cellular routers β common in utility, manufacturing, transportation, and remote monitoring applications β determine which firmware versions are running and whether CVE-2024-9643 has been patched. Check whether management interfaces are accessible from the internet; if they are, restrict access immediately while patches are applied.
ASUS router inventory. Identify ASUS AsusWRT-based routers in your environment, particularly at branch locations, remote sites, and any deployments that have been in service since 2018 or earlier. Check firmware currency against CVE-2018-5999 patch availability.
Management interface exposure. For any industrial router, the management interface should not be directly accessible from the internet. Remote management should be conducted through VPN or a dedicated management network. Direct internet exposure of management interfaces is the primary exploitation path for both vulnerabilities documented here.
OT network traffic inspection. In environments where industrial routers have been identified as potentially compromised or at elevated risk, consider whether OT network traffic monitoring can detect anomalous behavior β unexpected connections from router IP addresses, protocol anomalies, or traffic to unfamiliar external destinations.
The Broader Trend
The targeting of industrial routers by botnets in May 2026 is consistent with a multi-year trend of threat actors moving their initial access activity toward network infrastructure rather than endpoints. Industrial routers are particularly attractive because they sit at the boundary of OT environments, they are frequently under-managed compared to corporate IT equipment, and successful compromise provides both network access and intelligence about the industrial environment behind them.
The combination of a recently discovered 9.8 CVSS vulnerability in Four-Faith devices and an eight-year-old vulnerability being actively exploited in ASUS devices illustrates the full spectrum of the problem: new vulnerabilities in specialized hardware that patches slowly, and old vulnerabilities in commodity hardware where patching has simply not happened.
Organizations that treat router security as a lower priority than endpoint security are making a risk trade-off that the current threat environment does not support. Routers are the highest-risk connected device category in 2026, and the active exploitation documented this month is consistent with that assessment.
