Your router is compromised when an attacker has gained unauthorized access to it — and the signs are usually hiding in plain sight. The clearest indicators are devices you don’t recognize appearing on your network, browser redirects sending you to unfamiliar sites, and DNS settings pointing to servers you never configured. If your router’s admin password suddenly stops working, that’s not a glitch — someone changed it. These are not subtle anomalies. They are direct evidence that your router has been weaponized, either as a surveillance tool, a botnet node, or a gateway for injecting malware into every device in your home.
The stakes are higher than most people realize. Approximately 4,000 cyberattacks occur daily, and attacks targeting network edge devices — routers, VPNs, and gateways — surged through 2025. A compromised router doesn’t just slow your connection. It sits between you and every website you visit, every password you type, every financial transaction you make. This article covers the specific warning signs to look for, the real-world attack campaigns exploiting home routers right now, and the concrete steps to take if you suspect your device has been tampered with.
Table of Contents
- What Are the Most Obvious Signs Your Router Has Been Hacked?
- How Does DNS Hijacking Work and Why Is It So Dangerous?
- Which Router Brands and Models Are Being Actively Targeted Right Now?
- What Should You Do Immediately If You Think Your Router Is Compromised?
- Can a Compromised Router Infect Your Other Devices?
- How Do You Check for Unauthorized Changes Without Technical Expertise?
- What Does the Near-Term Threat Landscape Look Like for Home Router Security?
- Conclusion
- Frequently Asked Questions
What Are the Most Obvious Signs Your Router Has Been Hacked?
The most reliable sign of a compromised router is a change you didn’t make. Start with your DNS settings. Open your router’s admin panel and navigate to the WAN or DHCP configuration. If the DNS server fields show addresses you don’t recognize — anything other than well-known resolvers like Google’s 8.8.8.8 or Cloudflare’s 1.1.1.1 — treat it as a serious red flag. DNS hijacking is the primary technique attackers use after gaining router access, because it lets them silently redirect your traffic without touching your devices at all. You type your bank’s URL, your browser resolves it to the attacker’s server, and you never notice. A second obvious sign is being locked out of your own admin panel.
Default credentials are the most common attack vector against home routers, and once an attacker logs in with “admin/admin” or whatever shipped with the device, the first thing they do is change the password. If your credentials stop working and you haven’t changed them, someone else did. Similarly, if all devices on your network — laptops, phones, tablets — are being redirected to the same unfamiliar or lookalike websites, the problem isn’t a virus on one device. The problem is the router itself, intercepting DNS queries for everything on the network. Unknown devices appearing in your connected-devices list is another direct indicator. Most routers display a list of connected clients in the admin panel. If you see hardware addresses or device names you don’t recognize, especially at odd hours, your network perimeter has been breached. This is distinct from a neighbor guessing your Wi-Fi password — a compromised router can be used to onboard attacker-controlled devices deliberately.
How Does DNS Hijacking Work and Why Is It So Dangerous?
DNS hijacking through a compromised router is particularly insidious because it operates entirely transparently to the victim. When you request a website, your device asks the router for directions. If the router’s DNS has been altered to point at a malicious resolver, that resolver can send you anywhere — a convincing phishing page for your bank, a fake login portal for your email provider, or a site silently serving malware. Your browser shows the correct URL. Your connection may even show a padlock if the attacker has obtained a fraudulent certificate. Nothing looks wrong. A global DNS hijacking campaign identified in 2025 illustrated the scale of this threat. The campaign targeted outdated home routers and redirected victim traffic through servers linked to Aeza International, a bulletproof hosting provider that had been sanctioned by the United States.
The operation affected users across more than 35 countries. The victims weren’t targeted individually — they were compromised in bulk because their routers were running outdated firmware with known vulnerabilities. Their traffic was funneled through infrastructure specifically designed to be difficult for law enforcement to disrupt. The limitation worth noting here: checking your DNS settings once is not enough. Some attack campaigns rotate DNS entries or restore them after a period to avoid detection. If you suspect compromise, check your DNS settings multiple times over several days, and compare them against what your ISP actually assigns. A mismatch is definitive. A match is not necessarily clean.
Which Router Brands and Models Are Being Actively Targeted Right Now?
The Quad7 botnet, active throughout 2025, has been systematically compromising routers from TP-Link, Zyxel, Asus, D-Link, and NETGEAR. These are not obscure brands — they represent the majority of home and small office routers sold globally. Quad7 gains access through unpatched vulnerabilities and default credentials, then uses the compromised devices for credential-stuffing attacks and as proxy infrastructure. If you own a device from any of these manufacturers and haven’t updated the firmware recently, you are in the target pool. In May 2025, thousands of ASUS home and SOHO routers were found infected with a particularly resilient backdoor. What made this variant alarming was its persistence: it survives reboots and firmware updates. In most router compromise scenarios, a factory reset or firmware flash is sufficient to evict the attacker.
This backdoor circumvents that. It embeds itself in a way that standard remediation steps don’t address, meaning users who followed conventional security advice were still infected. D-Link users with legacy DSL gateways face a specific, actively exploited vulnerability tracked as CVE-2026-0625. It enables unauthenticated remote code execution through DNS configuration manipulation — an attacker doesn’t need your admin credentials to take over the device. D-Link has reached end-of-life on many of these products, meaning no patch is coming. If you’re running an end-of-life D-Link gateway, replacement is not optional advice. It is the only remediation available.
What Should You Do Immediately If You Think Your Router Is Compromised?
The first step is to disconnect the router from the internet — not just reboot it. Pull the WAN cable or disable the modem connection. This stops any ongoing data exfiltration or command-and-control communication while you assess the situation. Then access the admin panel from a wired connection if possible, since a compromised router controlling wireless traffic could theoretically interfere with what you see over Wi-Fi. Check three things in order: DNS settings (WAN and DHCP), connected devices, and the admin password. If any of them show changes you didn’t make, proceed directly to a factory reset followed by a fresh firmware flash from the manufacturer’s official site. Do not restore from a saved configuration backup — if your config file was created while the router was compromised, restoring it reintroduces the attacker’s changes.
Set a new admin password that is at least 16 characters and unique to this device. Then change your Wi-Fi password, which forces all devices to re-authenticate. The tradeoff here is inconvenience versus certainty. A factory reset is disruptive — you lose custom port forwarding rules, DNS settings, and Wi-Fi configurations. But it is the only way to be confident you’ve removed whatever was installed. Partial remediation — just changing the password or just checking DNS — leaves the possibility of deeper compromise unaddressed. For the ASUS backdoor discovered in 2025 that survives firmware updates, the calculus changes further: if you own an affected ASUS device, check whether the manufacturer has issued a specific remediation guide beyond standard firmware updates.
Can a Compromised Router Infect Your Other Devices?
Yes, and this is where router compromise becomes a network-wide threat rather than a single-device problem. A hijacked router can push malware to connected devices through DNS manipulation, by intercepting unencrypted traffic, or by exploiting vulnerabilities in device auto-update mechanisms. According to security researchers, new software appearing on connected devices without user action is a documented consequence of router-level compromise. The router becomes a man-in-the-middle for every device on the network. The ViciousTrap threat actor demonstrated the scale of what’s possible. By exploiting vulnerabilities in Cisco Small Business RV routers, this group compromised approximately 5,300 network edge devices across 84 countries.
The infected devices were used as proxy nodes — essentially conscripted into infrastructure for further attacks against other targets. Your compromised home router doesn’t just harm you. It becomes a tool used against someone else. A critical warning: HTTPS does not fully protect you from a compromised router. While it encrypts the content of your traffic, the router controls DNS resolution — it decides where your HTTPS connection actually goes before encryption begins. If the router sends your “https://bankofamerica.com” query to a malicious server, and that server has a fraudulent certificate your browser accepts, the padlock is meaningless. Some advanced attacks also perform SSL stripping, downgrading connections to HTTP before they reach your device.
How Do You Check for Unauthorized Changes Without Technical Expertise?
You don’t need to be a network engineer to spot the most dangerous signs of router compromise. Most routers have an admin panel accessible at 192.168.1.1 or 192.168.0.1 — type either into your browser while connected to your home network. Look specifically at the DNS server fields under Internet, WAN, or Advanced settings. Write down what you see and compare it against what your ISP says your DNS should be. If you use a consumer ISP like Comcast or AT&T, their support lines can tell you what DNS addresses you should be using.
Any deviation is worth investigating. For connected devices, the admin panel typically has a section labeled “Connected Devices,” “DHCP Clients,” or “Device List.” Count the entries and match them against what you know is in your home. Phones, laptops, smart TVs, game consoles, tablets, smart speakers — list them. If the count in your router panel exceeds what you own, or if device names are unfamiliar strings of letters and numbers rather than recognizable device names, treat it as suspicious. Legitimate devices usually identify themselves with manufacturer names or the name you gave them when setting them up.
What Does the Near-Term Threat Landscape Look Like for Home Router Security?
The trajectory is not reassuring. Global cybercrime damages were projected at $10.5 trillion for 2025, and routers have become a preferred attack surface precisely because they are neglected. Unlike laptops and phones, routers rarely receive automatic updates, are never replaced on a regular cycle, and sit running continuously for years without anyone checking their configuration. Manufacturers have historically treated security as secondary to ease of setup — default credentials, open admin interfaces, and infrequent patch releases are endemic to the industry.
The CISA addition of an actively exploited Sierra Wireless router flaw to its Known Exploited Vulnerabilities catalog in December 2025 signals that government agencies view router security as a genuine critical infrastructure issue, not just a consumer problem. Industrial and enterprise routers are being targeted alongside home devices. The gap between when vulnerabilities are discovered and when average users apply patches remains wide enough to drive entire botnet operations through. Until router firmware updates become as automatic and reliable as smartphone OS updates, home users will continue to be among the most exposed endpoints on the internet.
Conclusion
The signs of a compromised router are concrete and checkable: DNS settings pointing to unknown servers, admin credentials that no longer work, unfamiliar devices on your network, unexplained browser redirects, and new software appearing on your devices without your action. None of these require a security background to identify. What they require is actually looking — something most people never do until something goes wrong. Given that active campaigns in 2025 targeted routers from every major consumer brand and that some backdoors now survive factory resets, periodic checks are no longer optional hygiene. They are necessary.
If you find evidence of compromise, act in this order: disconnect from the internet, factory reset and reflash firmware, set new unique credentials, and reconnect without restoring old configuration backups. Check whether your specific router model appears in any current vulnerability advisories — CISA’s Known Exploited Vulnerabilities catalog is publicly searchable. If your router is end-of-life and receiving no patches, replacement is the only real remediation. The cost of a new router is low. The cost of having every password you type routed through attacker-controlled infrastructure is not.
Frequently Asked Questions
How do I find my router’s admin panel?
Most home routers are accessible at 192.168.1.1 or 192.168.0.1 — type either address into your browser’s address bar while connected to your home network. The login credentials are often printed on the bottom of the router. If someone has changed those credentials and you can’t log in, that itself is a sign of compromise.
Will a factory reset fix a compromised router?
In most cases, yes — a factory reset followed by a fresh firmware flash removes attacker changes. However, certain advanced backdoors, including one found on ASUS routers in May 2025, are specifically designed to survive both reboots and firmware updates. Check your router manufacturer’s security advisories for device-specific guidance.
My internet is slow — does that mean my router is hacked?
Not necessarily. Slowdowns have many causes, including ISP congestion, hardware degradation, and bandwidth-heavy devices. However, unexplained and persistent slowdowns accompanied by other signs — DNS changes, unknown devices, browser redirects — make compromise a serious possibility worth investigating.
What DNS servers should my router be using?
It depends on your setup. Your ISP assigns DNS servers automatically in most configurations. Well-known alternatives include Google (8.8.8.8 and 8.8.4.4) and Cloudflare (1.1.1.1). If your router’s DNS fields show addresses outside these ranges that you didn’t set, verify them against your ISP’s documentation. Unrecognized DNS servers are a primary indicator of router-level compromise.
Is HTTPS enough to protect me from a compromised router?
No. While HTTPS encrypts traffic content, your router controls DNS resolution — it determines where your connection goes before encryption begins. A router serving malicious DNS responses can redirect HTTPS requests to attacker-controlled servers. Some attacks also perform SSL stripping to downgrade connections before they reach your device.
How often should I check my router settings?
At minimum, check your DNS settings and connected devices list every few months, and immediately after any unusual network behavior. Also check after any news of vulnerabilities affecting your router brand — Quad7 and similar botnets move quickly once a CVE is published.