Draytek Vigor Router Vulnerability (CVE-2022-32548)

The vulnerability described on this and the following pages affects various models of ‘Draytek Vigor’ routers which have not had the firmware updated and the list below details the affected models and firmware versions.

You are encouraged to read the following information if the Operation Configured team have contacted you and informed you that your organisation may have this vulnerability and as a result at a greater risk of criminal cyber-attacks.

The following pages will give you an indication of the risk this poses, possible consequences of ignoring this risk and point you towards confirming and solving the problem leading to this risk. The guidance that follows is split into non-technical and technical content, which you can choose based on your level of knowledge and understanding.

DrayTek Router ModelFirmware Version
Vigor 165Earlier than 4.2.4
Vigor 166Earlier than 4.2.4
VigorLTE 200nEarlier than 3.9.8.1
Vigor 2133 SeriesEarlier than 3.9.6.4
Vigor 2135 SeriesEarlier than 4.4.2
Vigor 2620nEarlier than 3.9.8.1
Vigor 2760 SeriesEarlier than 3.8.9.6
Vigor 2762 SeriesEarlier than 3.9.6.4
Vigor 2765 SeriesEarlier than 4.4.2
Vigor 2766 SeriesEarlier than 4.4.2
Vigor 2832 SeriesEarlier than 3.9.6
Vigor 2860 SeriesEarlier than 3.9.2
Vigor 2862 SeriesEarlier than 3.9.8.1
Vigor 2865 SeriesEarlier than 4.4.0
Vigor 2866 SeriesEarlier than 4.4.0
Vigor 2915 SeriesEarlier than 4.3.3.2
Vigor 2925 SeriesEarlier than 3.9.2
Vigor 2926 SeriesEarlier than 3.9.8.1
Vigor 2927 SeriesEarlier than 4.4.0
Vigor 2952 SeriesEarlier than 3.9.7.2
Vigor 2962 SeriesEarlier than 4.3.1.1
Vigor 3220 SeriesEarlier than 3.9.7.2
Vigor 3910 SeriesEarlier than 4.3.1.1
Vigor 1000BEarlier than 4.3.1.1

IMPORTANT: While SEROCU are notifying organisations of this vulnerability, Officers from the team will NOT be asking for any information or other details. They will only be providing information. Any unsolicited contact claiming to be from the Police should always be treated with caution. For more information read about Verifying Authenticity.

This vulnerability has been assigned an internationally recognised common reference number, which will allow you to independently find more information about it easily from other sources. The Common Vulnerabilities and Exposures (CVE) reference is CVE-2022-32548 and you can find out more about it and verify the vulnerability using a simple web search.

The majority of discovered vulnerabilities are scored using an internationally recognised framework, known as the Common Vulnerability Scoring System (or CVSS). This allows other cyber security professionals to easily prioritise and manage the risks posed by the different vulnerabilities. The CVSS score for this vulnerability is [9.8 out of 10.0], which translates to potentially a critical degree of risk.

Note : There is no information known to law enforcement at this time that this vulnerability has been actively exploited by cyber criminals ‘in the wild’ (as at February 2023).

However, should there be an exploit published online or a criminal (group) is able to exploit this vulnerability in a similar manner, it could lead to a complete compromise of the router and then enable criminals to gain further access to the internal systems, services and resources of the breached networks, potentially causing significant damage and financial losses to the organisation. If you have this vulnerability, fixing it as soon as possible is essential to ensuring your organisation remains sufficiently protected. The cost of fixing this is almost certainly less than the costs and losses incurred by a criminal cyber attack.

There are two routes of further advice provided on our website which you can follow depending on your degree of technical ability and/or role.