DrayOS Router Flaw Allows Remote Code Execution by Attackers

A critical vulnerability affecting DrayOS routers could let unauthenticated attackers execute code remotely.

Discovered on July 22 by Pierre-Yves Maes of ChapsVision, the flaw stems from the use of an uninitialized variable in the Web User Interface (WebUI).

Crafting special HTTP or HTTPS requests to the WebUI triggers memory corruption, potentially crashing the device or allowing remote code execution in specific scenarios.

Impact and Exploitation

The weakness requires no valid credentials and can be exploited by any attacker with network access to the router’s WebUI.

While routers are typically shielded from wide-area-network (WAN) threats if WebUI and SSL VPN services are disabled or protected via Access Control Lists (ACLs), local attackers remain at risk.

On some models, LAN-side VLANs and ACLs offer additional control over WebUI access. In the absence of these controls, simply sending a maliciously crafted request is enough to exploit the vulnerability.

Successful exploitation may result in:

• Memory corruption leading to device instability or crash
• Potential execution of arbitrary code under the system’s privilege context

Affected Products and Mitigations

To eliminate this risk, DrayTek has released firmware updates that correct the uninitialized variable usage. Administrators should upgrade affected models to the versions listed below at the earliest opportunity.

Affected models include the Vigor1000B, Vigor2962, Vigor3910, Vigor3912, Vigor2135, and various models within the Vigor276x, Vigor286x, Vigor291x, Vigor292x, and Vigor295x series, and many others.

Routers remain secure against external attackers when WebUI and SSL VPN are disabled or protected by ACLs. However, local network access is sufficient to exploit the flaw if firmware remains outdated. Apply the updates immediately to ensure full protection.

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.