Draytek router

Researchers at Trellix have discovered a critical unauthenticated remote code execution (RCE) vulnerability impacting 29 models of the DrayTek Vigor series of business routers.

The vulnerability is tracked as CVE-2022-32548 and carries a maximum CVSS v3 severity score of 10.0, categorizing it as critical.

The attacker does not need credentials or user interaction to exploit the vulnerability, with the default device configuration making the attack viable via the internet and LAN.

Hackers who exploit this vulnerability could potentially perform the following actions:

  • complete device takeover,
  • information access,
  • laying the ground for stealthy man-in-the-middle attacks,
  • changing DNS settings,
  • using the routers as DDoS or cryptominer bots,
  • or pivoting to devices connected to the breached network.

Widespread impact

DrayTek Vigor devices became very popular during the pandemic by riding the "work from home" wave. They are excellent cost-efficient products for VPN access to small and medium-sized business networks.

A Shodan search returned over 700,000 online devices, most located in the UK, Vietnam, Netherlands, and Australia.

Trellix decided to evaluate the security of one of DrayTek's flagship models due to its popularity and found that the web management interface suffers from a buffer overflow issue on the login page.

Using a specially crafted pair of credentials as base64 encoded strings in the login fields, one can trigger the flaw and take control of the device's OS.

The researchers found at least 200,000 of the detected routers to expose the vulnerable service on the internet and hence are readily exploitable without user interaction or any other special prerequisites.

Of the remaining 500,000, many are also believed to be exploitable using one-click attacks, but only via LAN, so the attack surface is smaller.

The vulnerable models are the following:

  • Vigor3910
  • Vigor1000B
  • Vigor2962 Series
  • Vigor2927 Series
  • Vigor2927 LTE Series
  • Vigor2915 Series
  • Vigor2952 / 2952P
  • Vigor3220 Series
  • Vigor2926 Series
  • Vigor2926 LTE Series
  • Vigor2862 Series
  • Vigor2862 LTE Series
  • Vigor2620 LTE Series
  • VigorLTE 200n
  • Vigor2133 Series
  • Vigor2762 Series
  • Vigor167
  • Vigor130
  • VigorNIC 132
  • Vigor165
  • Vigor166
  • Vigor2135 Series
  • Vigor2765 Series
  • Vigor2766 Series
  • Vigor2832
  • Vigor2865 Series
  • Vigor2865 LTE Series
  • Vigor2866 Series
  • Vigor2866 LTE Series

DreyTek quickly released security updates for all models mentioned above, so navigate to the vendor's firmware update center and locate the latest version for your model.

For information on performing the firmware update on your router, check out this guide by DreyTek.

There have been no signs of CVE-2022-32548, but as CISA reported recently, SOHO routers are always in the crosshair of state-sponsored APTs from China and elsewhere.

Related Articles:

Hackers exploit critical RCE flaw in Bricks WordPress site builder

SolarWinds fixes critical RCE bugs in access rights audit solution

JetBrains warns of new TeamCity auth bypass vulnerability

45k Jenkins servers exposed to RCE attacks using public exploits

CISA tags Microsoft SharePoint RCE bug as actively exploited