A critical unauthenticated RCE (remote code execution) flaw has impacted 29 models of DrayTek’s business routers in the Vigor series, tracked as CVE-2022-32548 with a CVSS score of 10. Reports reveal that user interaction and credentials are unnecessary for a threat actor to exploit the flaw.
Attackers could easily perform attacks against the impacted business routers through an internet or LAN connection, especially with the default device configuration. Some potential actions that an attacker could launch include completing device takeover, accessing device information, man-in-the-middle attacks, configuring DNS settings, using the routers as cryptominer or DDoS bots, and jumping across connected networks.
Since the pandemic, many employees have shifted to working from home, and the sale of routers from different brands has peaked. This shift includes small to medium-sized firms trying out business routers for their cost-effective VPN access benefits.
One of the network equipment brands that became popular was DrayTek, which urged security researchers to evaluate one of its flagship models. The analysts found that the web management interface of the firm has a login buffer overflow issue.
A threat actor could trigger the vulnerability using specially crafted credentials as base64 encoded strings on the login page. If successful, the attackers could acquire access and control of a device’s operating system.
Over 200,000 existing impacted business routers were detected that could easily expose the vulnerability online without requiring user interaction or any other pre-requisites.
As shared by the researchers, there are a total of 29 vulnerable DrayTek router models Vigor series, including Vigor3910, Vigor1000B, Vigor2962 Series, Vigor2927 Series, Vigor2927 LTE Series, Vigor2915 Series, Vigor2952/2952P, Vigor3220 Series, Vigor2926 Series, and Vigor2926 LTE Series.
Upon learning of the issue, DrayTek immediately released the security updates for all the affected Vigor series models. The users of those business routers are advised to visit DrayTek’s firmware update centre to find their model’s patch updates.
The network equipment vendor has also shared a guide to help users perform the firmware update on their respective routers.
Despite the findings about the DrayTek router vulnerability, no exploitation has been identified. However, experts still warn users and vendors to be cautious since APT groups have histories of targeting SOHO routers.