The vulnerability described on this and the following pages affects various models of ‘Draytek Vigor’ routers which have not had the firmware updated and the list below details the affected models and firmware versions.
You are encouraged to read the following information if the Operation Configured team have contacted you and informed you that your organisation may have this vulnerability and as a result at a greater risk of criminal cyber-attacks.
The following pages will give you an indication of the risk this poses, possible consequences of ignoring this risk and point you towards confirming and solving the problem leading to this risk. The guidance that follows is split into non-technical and technical content, which you can choose based on your level of knowledge and understanding.
| DrayTek Router Model | Firmware Version |
| Vigor 165 | Earlier than 4.2.4 |
| Vigor 166 | Earlier than 4.2.4 |
| VigorLTE 200n | Earlier than 3.9.8.1 |
| Vigor 2133 Series | Earlier than 3.9.6.4 |
| Vigor 2135 Series | Earlier than 4.4.2 |
| Vigor 2620n | Earlier than 3.9.8.1 |
| Vigor 2760 Series | Earlier than 3.8.9.6 |
| Vigor 2762 Series | Earlier than 3.9.6.4 |
| Vigor 2765 Series | Earlier than 4.4.2 |
| Vigor 2766 Series | Earlier than 4.4.2 |
| Vigor 2832 Series | Earlier than 3.9.6 |
| Vigor 2860 Series | Earlier than 3.9.2 |
| Vigor 2862 Series | Earlier than 3.9.8.1 |
| Vigor 2865 Series | Earlier than 4.4.0 |
| Vigor 2866 Series | Earlier than 4.4.0 |
| Vigor 2915 Series | Earlier than 4.3.3.2 |
| Vigor 2925 Series | Earlier than 3.9.2 |
| Vigor 2926 Series | Earlier than 3.9.8.1 |
| Vigor 2927 Series | Earlier than 4.4.0 |
| Vigor 2952 Series | Earlier than 3.9.7.2 |
| Vigor 2962 Series | Earlier than 4.3.1.1 |
| Vigor 3220 Series | Earlier than 3.9.7.2 |
| Vigor 3910 Series | Earlier than 4.3.1.1 |
| Vigor 1000B | Earlier than 4.3.1.1 |
IMPORTANT: While SEROCU are notifying organisations of this vulnerability, Officers from the team will NOT be asking for any information or other details. They will only be providing information. Any unsolicited contact claiming to be from the Police should always be treated with caution. For more information read about Verifying Authenticity.
This vulnerability has been assigned an internationally recognised common reference number, which will allow you to independently find more information about it easily from other sources. The Common Vulnerabilities and Exposures (CVE) reference is CVE-2022-32548 and you can find out more about it and verify the vulnerability using a simple web search.
The majority of discovered vulnerabilities are scored using an internationally recognised framework, known as the Common Vulnerability Scoring System (or CVSS). This allows other cyber security professionals to easily prioritise and manage the risks posed by the different vulnerabilities. The CVSS score for this vulnerability is [9.8 out of 10.0], which translates to potentially a critical degree of risk.
Note : There is no information known to law enforcement at this time that this vulnerability has been actively exploited by cyber criminals ‘in the wild’ (as at February 2023).
However, should there be an exploit published online or a criminal (group) is able to exploit this vulnerability in a similar manner, it could lead to a complete compromise of the router and then enable criminals to gain further access to the internal systems, services and resources of the breached networks, potentially causing significant damage and financial losses to the organisation. If you have this vulnerability, fixing it as soon as possible is essential to ensuring your organisation remains sufficiently protected. The cost of fixing this is almost certainly less than the costs and losses incurred by a criminal cyber attack.
There are two routes of further advice provided on our website which you can follow depending on your degree of technical ability and/or role.