Researchers have identified fourteen new vulnerabilities in DrayTek Vigor routers, including a critical remote code execution flaw rated 10 out of 10 on the CVSS severity scale.
DrayTek, a Taiwanese networking equipment maker, offers advanced routers with VPN, firewalls, and bandwidth management for residential and business use. Widely deployed in industries like healthcare, retail, and government, its devices are prime targets for cybercriminals.
These vulnerabilities pose a substantial threat, potentially allowing cybercriminals to seize control of affected devices to steal sensitive data, deploy ransomware, and launch denial-of-service attacks. An estimated 785,000 DrayTek routers are currently in operation, primarily within business environments.
Alarmingly, research from Forescout’s Vedere Labs has revealed that over 704,000 of these devices have their web interfaces exposed to the public internet, making them particularly vulnerable to exploitation.
Despite warnings from DrayTek that these control panels should only be accessible from local networks, this exposure remains a significant risk.
Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try for Free
Technical Details of Critical Flaws
The vulnerabilities have not gone unnoticed by malicious actors. DrayTek routers have been consistently targeted by threat groups, especially Chinese advanced persistent threats (APTs).
Recent reports from the FBI indicate that Chinese government spies exploited three vulnerabilities in DrayTek routers to create a botnet comprising 260,000 devices. DrayTek has issued patches for all fourteen CVEs across both supported and end-of-life models.
Among the newly discovered vulnerabilities are two particularly severe issues:
- CVE-2024-41592: This buffer overflow vulnerability in the web user interface’s GetCGI() function allows unauthenticated users to execute remote code or cause a denial of service. It received a maximum severity rating.
- CVE-2024-41585: This OS command injection flaw affects the recvCmd binary in the firmware, enabling command injection attacks from the guest OS to the host OS. It has been rated with a CVSS score of 9.1.
These vulnerabilities can be exploited together to gain remote root access to the host operating system of affected devices.
Recommended Mitigation Steps
To mitigate these risks, users are advised to:
- Disable remote access capabilities unless absolutely necessary.
- Implement two-factor authentication and access control lists for remote access if needed.
- Employ network segmentation and strong password policies.
- Regularly monitor devices for unusual activity.
The vulnerabilities impact 24 models, including Vigor1000B, Vigor2962, Vigor3910, and others. Some of these models support high download/upload speeds and feature robust hardware capabilities, making them attractive targets for use as command-and-control servers.
The discovery of these vulnerabilities underscores the critical need for businesses to secure their network infrastructure against increasingly sophisticated cyber threats. By taking proactive measures and applying available patches, organizations can better protect themselves against potential exploitation.
Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Registration