Skip to content

Over 700,000 DrayTek routers vulnerable to remote hijacking

  • by
  • 2 min read

Security researchers have found 14 security vulnerabilities in DrayTek Vigor routers. One of these is a remote code execution critical vulnerability with a perfect CVSS score of 10 and might be under active exploitation. Approximately 785,000 of these routers are estimated to operate in personal and business settings.

Most of the bugs arise from the routers’ control panel, allowing attackers to take over routers and launch attacks on other devices in the network. Other potential attacks include ransomware deployments and denial-of-service attacks. The vulnerabilities affect 24 DrayTek’s router lineup models, some of which have already reached end-of-life and end-of-sale status.

Draytek had previously issued warnings stating that Vigor routers’ control panels should only be accessible from a local network. However, Frescout Research’s Vedere Labs researchers found more than 704,000 DrayTek routers with control panels exposed to the internet. Businesses are using 75 percent of these routers, while 38 percent are susceptible to similar vulnerabilities reported almost two years ago.

This is an image of router image

Vulnerabilities in Draytek’s routers have previously been exploited by Chinese state-sponsored agents to carry out attacks. Vedere Labs recorded 130 instances of router-related attacks, including logins and exploits, between 2023 and 2024.

One of the attacks demonstrated by Vedere Labs chained CVE-2024-41592, the highest-rated and most critical vulnerability among the 14, and CVE-2024-41585 to gain remote access over the host OS on the vulnerable router. Both aforementioned vulnerabilities are critical, with CVSS scores of 10 and 9.1, respectively. The other 12 bugs have medium to high severity scores.

The company has issued patches for all 14 vulnerabilities covering both supported and end-of-life routers. Other mitigation bugs include disabling remote access if not required or enabling two-factor authentication for the capability.

In the News: WP Engine sues Automattic and Matt Mullenweg, alleging extortion and abuse of power

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

Related Reads

A qantas airline flight taking off

Australian airline Qantas says data theft affected 6 million customers

This is an image of phishing featured storyblocks

Hackers caught weaponising Vercel’s AI tool to create phishing pages

This is an image of meta fb oculus workspace whatsapp messenger instagram

Meta plans to enforce SEBI verification for investment ads in India

This is an image of cyber security hacked breach

Esse Health is notifying over 263,000 patients of a data breach

This is an image of cctv surveillance camera 2

Canada bans Hikvision; company ordered to halt operations

Photo: trismegist san / shutterstock. Com

Mexican drug cartel hired cybercriminals to identify and kill informant

>