DrayTek Router Vulnerability (CVE-2022-32548) – Summary

Non-Technical Advice

The vulnerability described on this and the following page affects various DrayTek Vigor router models that have not been updated with the vendor firmware since August 2022. If you have any of the affected models detailed on the previous page, you maybe at risk of this vulnerability being exploited in the future and recommend that you visit the manufacturer website to apply the security patch as soon as possible.

The Operation Configured team have contacted you because open source research indicates that your organisation are using one of the affected Draytek router models with a version of firmware that is susceptible to this vulnerability. While it is possible that this information is incorrect because of the method of vulnerability identification employed by the Operation, it is important you establish for yourself whether your organisation is vulnerable. If you establish that your systems are vulnerable, there is an increased risk you could fall victim to a potentially devastating criminal cyber attack.

There is another technically focused summary of this vulnerability available for ICT and other technical teams. You should use them to support you in making choices about how to approach this situation.

IMPORTANT: While SEROCU are notifying organisations of this vulnerability, the team will NOT be asking for any information or other details. They will only be providing information. Any unsolicited contact claiming to be from the Police should always be treated with caution. For more information read about Verifying Authenticity.

About this Vulnerability

In 2022, the vulnerability research team at the cyber security company Trellix, had found that the vulnerability existed and it could be exploited without any user interaction if the login page for the router’s management (administrator) interface was configured to be internet facing (but also internally from within the network).

The vulnerability is exploited by manipulating the router memory in an attack referred to as a ‘buffer overflow’. This is where the amount of data being placed into the device memory by a programme is more than it can logically cope with, causing the programme to corrupt, crash or allow other data to be written in it’s place.

In this case, the ‘buffer overflow’ could allow an unauthenticated criminal to remotely send specially crafted code to execute in the router memory and thereby control the router operating system. It is also important to point out that the research team did not even need any user credentials / passwords to exploit this.

The Risk this Vulnerability poses

Although there is no specified intelligence that this vulnerability is being actively exploited, the US Cybersecurity & Infrastructure Security Agency (CISA) reported that ‘SOHO’ routers are always a target of state-sponsored advanced hackers.

There are significant risks should you choose to ignore or accept this vulnerability to remain in your system, as successfully exploiting the vulnerability may lead to the following outcomes :

  • Leaking sensitive data stored on the router such as credential keys, admin passwords
  • Access to the internal systems, services and resources located in your internal network that would normally require VPN-access or be present “on the same network”
  • Ransomware
  • Data theft (e.g. credentials, intellectual property, personal or financial information)
  • Spying on website traffic requests and other unencrypted traffic sent to the internet from your network through the router (known as Man-In-The-Middle attacks)
  • Being used as part of a criminal network for ‘botnet’ activity (such hosting malicious data, attacking other IP addresses, denying services to other organisations

Even if the criminals were unable to successfully exploit the router, the outcomes could also cause :

  • The affected router to reboot
  • Denial of Service to the affected router (i.e downtime to the networked systems, services and access to them)
  • Other possible abnormal behaviour

News Reporting of Exploitation of this Vulnerability

This vulnerability has made the headlines:

August 2022 – Critical Remote Code Execution Bug Could Let Hackers Remotely Take Over DrayTek Vigor Routers (TheHackerNews.com)

August 2022 – Critical Remote Code Execution Bug in DrayTek Routers Opens SMBs to Zero-Click Attacks (DarkReading.com)

Next Steps

The next steps for your organisation should be to:

  1. Verify the presence of this vulnerability in your organisation; if so:
  2. Establish if this vulnerability has already been exploited on your systems
  3. Work with your ICT team or provider to establish the degree of threat, potential harm and risk posed to your organisation
  4. Isolate and mitigate the risk as soon as possible
  5. Establish a plan to resolve this vulnerability and eliminate the risk
  6. Plan to improve your cybersecurity for the future