Critical Vulnerabilities Expose Nearly 1 Million DrayTek Routers Globally

Critical security vulnerabilities exposed in DrayTek Vigor routers: Discover how to protect your network from these serious flaws. Learn about the risks, affected devices, and how to patch your router immediately. Secure your network now!

Censys research has revealed 14 vulnerabilities in DrayTek Vigor routers, with British Telecoms being one of the most vulnerable hosts followed by hosts in Vietnam, The Netherlands, and Taiwan.

Businesses and home users worldwide commonly use routers. Therefore, these flaws pose a significant risk, allowing attackers to potentially take control of your network devices and launch further attacks. The vulnerabilities were publicly disclosed on 2 October 2024, while the users most impacted by the vulnerabilities include the following:

• Taiwan
• Vietnam
• Germany
• Netherlands
• United Kingdom

****What are the vulnerabilities?****

Fourteen vulnerabilities were discovered, ranging from critical to medium severity. The most concerning ones are:

• CVE-2024-41592 (CVSS Score: 10.0): This critical buffer overflow vulnerability in the web interface can be exploited to crash the router (Denial-of-Service) or even gain complete control (Remote Code Execution) if chained with CVE-2024-41585. This buffer overflow can be triggered by sending a long query string to CGI pages.
• CVE-2024-41585 (CVSS Score: 9.1): This vulnerability is an OC command injection flaw, which allows attackers to inject malicious code into the router’s operating system, potentially granting full access to the device. The exploit chain impacts Vigor router models 3910 and 3912.

****High-Severity Vulnerabilities:****

• CVE-2024-41586: A cross-site scripting (XSS) vulnerability in the router’s web interface could allow an attacker to inject malicious code into web pages visited by users, potentially leading to unauthorized access or data theft.
• CVE-2024-41587: Another XSS vulnerability in the web interface could be exploited to steal sensitive information from users, such as login credentials.
• CVE-2024-41588: A remote code execution vulnerability in the router’s Telnet service could allow an attacker to gain unauthorized access to the device and execute arbitrary commands.

****Why is this a big deal?****

According to Censys’ report shared with Hackread.com, over 700,000 (i-e 751,801) DrayTek Vigor routers are currently exposed directly to the internet, making them easy targets for attackers. The VigorConnect admin UI is exposed on 421,476 devices. The largest concentrations of these interfaces come from national ISPs and regional telecom providers, and Taiwan-based HINET is leading the list, as DrayTek is a Taiwanese company.

An exposed VigorConnect Admin Interface (Via Censys)

Exploiting these vulnerabilities can lead to a domino effect, allowing attackers to compromise your entire network. Moreover, DrayTek routers have been targeted in the past, with the FBI reporting (PDF) Chinese-sponsored botnet activity using older CVEs in DrayTek routers and Volt Typhoon exploiting SOHO networking equipment to carry out attacks last year, making patching a necessity.

DrayTek has released patches for all of these vulnerabilities. It is important to update your router’s firmware to the latest version to protect yourself from these threats. Additionally, it is recommended to follow the security best practices, such as disabling remote access to the router’s web interface and enabling two-factor authentication (2FA), to stay protected.

1. TheMoon Malware Returns: 6K Asus Routers Hacked in 72 Hours
2. ASUS and NordVPN Partner to Integrate VPN Service into Routers
3. New DDoS Botnet ‘Condi’ Targets Vulnerable TP-Link AX21 Routers
4. FBI Alert: Russian Hackers Target Ubiquiti Routers for Botnet Creation
5. NETGEAR Router Vulnerability Allowed Access to Restricted Services