A new report by Forescout Research has identified 14 new security vulnerabilities in 24 models of DrayTek‘s popular Vigor routers, which is a familiar name in the UK broadband ISP world. One of the vulnerabilities even has a Common Vulnerability Score (CVSS) of 10 out of 10 and over 704,000 routers were found exposed online in 168 countries.
The report (here) notes that approximately 785,000 DrayTek devices are operating Wi-Fi networks in the wild (over 425,000 of those are in Europe – with 36% in the UK). According to the vendor, DrayTek’s Vigor Web UI “should only be accessible from a local network for security reasons“, but the study “found over 704,000 DrayTek routers that have their UI exposed to the Internet” (most of these are used by businesses and some advanced home users).
The research noted that, out of the 14 new vulnerabilities discovered (see bottom of the article for the full list), one had a maximum severity score of 10, while another one is critical at 9.1 and nine others have medium severity scores. The vulnerabilities could all be used in espionage, data exfiltration, ransomware, and denial of service (DoS) attacks and this threat risk is not theoretical.
On 18th September 2024, the Federal Bureau of Investigation (FBI) in the USA announced it had taken down a botnet exploiting three CVEs on DrayTek assets (CVE-2023-242290, CVE-2020-15415 and CVE-2020-8515). Two weeks prior, CISA added two other DrayTek CVEs to the KEV (CVE-2021-20123 and CVE-2021-20124).
In addition, a significant proportion of these vulnerable devices (38%) were also found to be susceptible to similar issues identified two years ago (here), which have already been patched. This suggests that many end-users of related devices are not checking to ensure they’re using the latest and most secure firmware (software) for their routers.
The good news is that DrayTek have already released firmware patches for the newly discovered vulnerabilities, including their EoL kit, which is in stark contrast to certain other router manufacturers we could name that have a terrible history when it comes to supporting older, but still actively used, devices. Well done DrayTek.