Critical RCE vulnerability affects 29 DrayTek router models
Notably, the affected products are all from the enterprise Virgo line.
This vulnerability is tracked under the code CVE-2022-32548 and is scored 10, the maximum score on the CVSSv3 threat scale. For that reason, CVE-2022-32548 is considered extremely dangerous and requires immediate remedial and mitigation measures.
To exploit CVE-2022-32548, hackers do not need login information or any interaction of the victim. The default configuration of the device allows the attack to be carried out through the internet and LAN.
Hackers successfully exploiting the CVE-2022-32548 vulnerability can perform the following actions:
- Full control of the device.
- Set up the foundation for man-in-the-middle attacks.
- Change DNS settings.
- Use routers as bots for DDoS attacks or cryptocurrency mining.
Widespread influence
DrayTek Vigor devices became very popular during the pandemic due to the wave of working from home. They are reasonably priced products for VPN access to SME networks.
A quick Shodan search results in over 700,000 DrayTek Virgo devices connected to the internet. Most of these devices are located in the UK, Vietnam, the Netherlands and Australia.
Trellix decided to evaluate the security of one of DrayTek's top router models. The results show that the web management interface has a buffer overflow on the login page.
Using a specially generated pair of credentials as a base64 encoded string in the login fields, a hacker could enable the vulnerability and take control of the device's operating system.
Researchers found at least 200,000 of the routers discovered on Shodan expose a vulnerable service on the internet and thus can be easily exploited without user interaction or any other any other special prerequisites.
Of the remaining 500,000, many are exploitable with one-click attacks but only through LAN so the attack surface is smaller.
The list of affected devices includes:
- Vigor3910
- Vigor1000B
- Vigor2962 Series
- Vigor2927 Series
- Vigor2927 LTE Series
- Vigor2915 Series
- Vigor2952 / 2952P
- Vigor3220 Series
- Vigor2926 Series
- Vigor2926 LTE Series
- Vigor2862 Series
- Vigor2862 LTE Series
- Vigor2620 LTE Series
- VigorLTE 200n
- Vigor2133 Series
- Vigor2762 Series
- Vigor167
- Vigor130
- VigorNIC 132
- Vigor165
- Vigor166
- Vigor2135 Series
- Vigor2765 Series
- Vigor2766 Series
- Vigor2832
- Vigor2865 Series
- Vigor2865 LTE Series
- Vigor2866 Series
- Vigor2866 LTE Series
DrayTek quickly released security updates for the above devices. If you are using the devices listed above, find and download the latest firmware then install to patch the vulnerability.
You should read it
- How to change Modem login password and Vigor Draytek Router
- Detecting security holes that cause a series of D-Link VPN routers to be remotely attacked
- How to set up Port Forwarding on Draytek router
- Many Netgear router models contain serious RCE security holes
- Three critical holes in Linksys routers, hackers can take advantage of hijacking
- Detect dangerous security holes affecting many D-Link routers
- Detect 2 serious security holes in the Zoom application
- How to set up and configure DDNS on Draytek router
- Internet Explorer has vulnerabilities, unused users are still hacked
- AMD patched a series of security holes in the graphics driver for Windows 10
- Detecting a series of vulnerabilities can help hackers disable metal detectors at airports
- Top 30 serious security holes are being exploited by hackers the most
Maybe you are interested
Friday the 13th meme series is super funny
Google splits with Qualcomm, opts for MediaTek's 5G modem for Pixel 10 series
SpaceX reveals series of images capturing impressive moments during the latest Starship test
Series of DrayTek router models have security holes
Apple Watch Series 10 review: Slim design, larger screen, improved user experience
New iPhone 16 meme series, mixed reviews but hilarious