14 additional vulnerabilities in DrayTek routers were discovered in a recent Forescout Technologies report. If left unaddressed, attackers could gain full control over these devices, opening the door to ransomware, denials of service and other attacks. With routers being increasingly targeted, this research spotlights the need for immediate action including patching and disabling unnecessary remote access to protect network devices against rising cyber threats.
DrayTek routers are widely used across many industries and this broad usage has made them prime targets for cybercriminals. In addition to this research, DrayTek routers were flagged in a recent FBI action and CISA added DrayTek vulnerabilities to the Known Exploited Vulnerabilities (KEV) list.
- 14 vulnerabilities identified across DrayTek routers: The highest severity finding received a CVSS score of 10; another scored a 9.1. These high-risk vulnerabilities can allow attackers to conduct remote code execution and OS command injection attacks. Further technical details are included in the full report.
- Global widespread exposure: Over 704,000 DrayTek routers are currently exposed to the internet. More than 425,000 are in the UK and EU, and over 190,000 are in Asia, a complete regional breakdown of exposure is detailed in the report. The majority of the routers are intended for business use — with 75% used commercially. Nearly 40% of DrayTek routers are still vulnerable to similar issues identified two years ago and added to the CISA KEV catalog.
- End-of-Life devices at risk: The vulnerabilities found impact 24 DrayTek router models, 11 of which are end-of-life (EoL). Over two-thirds (63%) of the exposed devices are either End-of-sale (EoS) or EoL, making them more difficult to patch and protect.
DrayTek vulnerabilities create many potential router attack paths, especially for those with the web management interface exposed to the internet. Attackers can deploy a persistent rootkit to intercept and analyze network traffic, stealing sensitive data such as credentials or confidential information. Once inside, they could move laterally across the network, compromising other devices and potentially leading to ransomware, denial-of-service (DoS) attacks, or the creation of botnets for distributed attacks. High-performance routers, such as the Vigor3910, could even be repurposed as command-and-control (C2) servers, enabling attackers to launch further attacks on other victims.
As part of the responsible disclosure process, DrayTek has patched all the firmware vulnerabilities Vedere Labs uncovered. However, organizations still need to take mitigation steps to protect these products on their networks.