Barry Tech Review

Best review technology by Barry

A Critical RCE Bug Spotted in Over 200,000 DrayTek Routers

A Critical RCE Bug Spotted in Over 200,000 DrayTek Routers


A Critical RCE Bug Spotted in Over 200,000 DrayTek Routers

Researchers at Trellix discovered a critical RCE bug in about 29 models of DrayTek business routers, putting hundreds of thousands of people using them at risk.

The noted RCE bug is a buffer overflow issue at the login page and needs no manual intervention from the threat actor – but can be hacked via the internet. DrayTek released patches for all the affected models and urges users to update them as soon as possible to stay secure.

RCE Bug With Critical Status

DrayTek business routers are some of the popular ones that picked up sales sharply amidst the pandemic since most people are pushed into a work-from-home routine. While they’re serving the connectivity need, Trellix researchers spotted a critical RCE bug in over 29 models of DrayTek routers as below;

  • Vigor3910
  • Vigor1000B
  • Vigor2962 Series
  • Vigor2927 Series
  • Vigor2927 LTE Series
  • Vigor2915 Series
  • Vigor2952 / 2952P
  • Vigor3220 Series
  • Vigor2926 Series
  • Vigor2926 LTE Series
  • Vigor2862 Series
  • Vigor2862 LTE Series
  • Vigor2620 LTE Series
  • VigorLTE 200n
  • Vigor2133 Series
  • Vigor2762 Series
  • Vigor167
  • Vigor130
  • VigorNIC 132
  • Vigor165
  • Vigor166
  • Vigor2135 Series
  • Vigor2765 Series
  • Vigor2766 Series
  • Vigor2832
  • Vigor2865 Series
  • Vigor2865 LTE Series
  • Vigor2866 Series
  • Vigor2866 LTE Series

Tracked as CVE-2022-32548, this RCE bug is rated 10/10 on the severity scale since it doesn’t need any intervention from the target to get compromised. A threat actor can hack the concerned DrayTek routers over the internet and LAN.

Researchers from a general Shodan search detected over 700,000 DrayTek devices online, most located in the UK, Vietnam, Netherlands, and Australia. They also noted the issue as buffer overflow in the login page of DrayTek’s web management interface.

A threat actor can send a specially crafted pair of credentials as base64 encoded strings in the login fields and trigger the flaw to take over the device. While researchers confirmed that at least 200,000 routers are vulnerable to this flaw, the rest of the 500,000 spotted devices, too, could be vulnerable in some form.

After informing, DreyTek quickly released the security updates for all the concerned models and urges users to patch them immediately. All you need to do is to check the vendor’s firmware update center, spot the latest version for your model, and update. Here’s a guide from DrayTek on how to do it.

Leave a Reply

Your email address will not be published. Required fields are marked *