Technical Advice
The vulnerability described on this and the following page affects various DrayTek Vigor router models that have not been updated with the vendor firmware since August 2022. If you have any of the affected models detailed on the previous page, you maybe at risk of this vulnerability being exploited in the future and recommend that you visit the manufacturer website to apply the security patch as soon as possible. This vulnerability has been independently scored as posing a critical risk to most organisations.
The Operation Configured team have contacted you because research indicates that your organisation or an organisation your ICT team are using one of the affected Draytek router models with a version of firmware that is susceptible to this vulnerability. While it is possible that this information is incorrect because of the method of vulnerability identification employed by the Operation, it is important you establish for yourself whether your organisation is vulnerable. If you establish that your systems are vulnerable, there is an increased risk you could fall victim to a potentially devastating criminal cyber attack.
There is another, non-technical summary of this vulnerability available for managers and decision makers. You will need to support them in making choices about how to approach this situation.
IMPORTANT: While SEROCU are notifying organisations of this vulnerability, Officers from the team will NOT be asking for any information or other details. They will only be providing information. Any unsolicited contact claiming to be from the Police should always be treated with caution. For more information read about Verifying Authenticity.
About this Vulnerability
Around April 2022, the vulnerability research team at the cyber security company Trellix, had found and later published that an unauthenticated Remote Code Execution vulnerability existed with various models of the Draytek Vigor routers running specific versions of DrayOS – that implements the router’s various functions.
They found that the vulnerability could be exploited without any user interaction, if the login page for the router’s management interface (“/cgi-bin/wlogin.cgi”) was configured to be internet facing (but also internally from within the network).
The Common Vulnerabilities and Exposures (CVE) reference number and scoring for this vulnerability is :
CVE-2019-13917 (CVSS Score 9.8 / 10.0) – This ‘Critical’ vulnerability could allow an unauthenticated criminal to exploit the router memory in a ‘buffer overflow’ attack, remotely sending a specially crafted Base64 encoded string inside the username / password fields which executes in the router memory, due to a logic bug in the router code to properly verify these strings.
The Risk this Vulnerability poses
Although there is no specified intelligence that this vulnerability is being actively exploited, the US Cybersecurity & Infrastructure Security Agency (CISA) reported that ‘SOHO’ routers are always a target of state-sponsored advanced hackers.
If the vulnerability is exploited, it can risk the complete loss of confidentiality, integrity and availability of the router. Taking the worst case scenario, this could result in all of the resources being disclosed to an attacker and presents a direct serious impact to an organisation’s network. There are significant risks should you choose to ignore or accept this vulnerability to remain in your network, as successfully exploiting the vulnerability may lead to the some of the following outcomes :
- Leaking sensitive data stored on the router such as credential keys, admin passwords
- Access to the internal systems, services and resources located in your network that would normally require VPN-access or be present “on the same network”
- Ransomware
- Corruption of your backups
- Data theft (e.g. credentials, intellectual property, personal or financial information)
- Spying on website traffic requests and other unencrypted traffic sent to the internet from your network through the router (known as Man-In-The-Middle attacks)
- Being used as part of a criminal network for ‘botnet’ activity (such hosting malicious data, attacking other IP addresses, denying services to other organisations
Even if the criminals were unable to successfully exploit the router, the outcomes could also cause :
- The affected router to reboot
- Denial of Service to the affected router (i.e downtime to the networked systems, services and access to them)
- Other possible abnormal behaviour
Reporting of Exploitation of this Vulnerability
This vulnerability has made the headlines:
April 2022 – DrayTek Router unauthenticated remote code execution vulnerability (CVE-2022-32548) (DrayTek)
August 2022 – Unauthenticated Remote Code Execution in a Wide Range of DrayTek Vigor Routers (Trellix.com)
August 2022 – Critical Remote Code Execution Bug Could Let Hackers Remotely Take Over DrayTek Vigor Routers (TheHackerNews.com)
August 2022 – Critical Remote Code Execution Bug in DrayTek Routers Opens SMBs to Zero-Click Attacks (DarkReading.com)
Next Steps
The next steps for the organisation should be to:
- Verify the presence of this vulnerability in the organisation; if so:
- Establish if this vulnerability has already been exploited on the organisation’s systems
- Work with management to establish the degree of threat, potential harm and risk posed to the organisation
- Isolate and mitigate the risk as soon as possible
- Establish a plan to resolve this vulnerability and eliminate the risk
- Plan to improve the organisation’s cybersecurity for the future
For more information: