Critical RCE vulnerability affects 29 DrayTek router models

Notably, the affected products are all from the enterprise Virgo line.

This vulnerability is tracked under the code CVE-2022-32548 and is scored 10, the maximum score on the CVSSv3 threat scale. For that reason, CVE-2022-32548 is considered extremely dangerous and requires immediate remedial and mitigation measures.

To exploit CVE-2022-32548, hackers do not need login information or any interaction of the victim. The default configuration of the device allows the attack to be carried out through the internet and LAN.

Hackers successfully exploiting the CVE-2022-32548 vulnerability can perform the following actions:

1. Full control of the device.
2. Set up the foundation for man-in-the-middle attacks.
3. Change DNS settings.
4. Use routers as bots for DDoS attacks or cryptocurrency mining.

Widespread influence

DrayTek Vigor devices became very popular during the pandemic due to the wave of working from home. They are reasonably priced products for VPN access to SME networks.

A quick Shodan search results in over 700,000 DrayTek Virgo devices connected to the internet. Most of these devices are located in the UK, Vietnam, the Netherlands and Australia.

Trellix decided to evaluate the security of one of DrayTek's top router models. The results show that the web management interface has a buffer overflow on the login page.

Using a specially generated pair of credentials as a base64 encoded string in the login fields, a hacker could enable the vulnerability and take control of the device's operating system.

Researchers found at least 200,000 of the routers discovered on Shodan expose a vulnerable service on the internet and thus can be easily exploited without user interaction or any other any other special prerequisites.

Of the remaining 500,000, many are exploitable with one-click attacks but only through LAN so the attack surface is smaller.

The list of affected devices includes:

1. Vigor3910
2. Vigor1000B
3. Vigor2962 Series
4. Vigor2927 Series
5. Vigor2927 LTE Series
6. Vigor2915 Series
7. Vigor2952 / 2952P
8. Vigor3220 Series
9. Vigor2926 Series
10. Vigor2926 LTE Series
11. Vigor2862 Series
12. Vigor2862 LTE Series
13. Vigor2620 LTE Series
14. VigorLTE 200n
15. Vigor2133 Series
16. Vigor2762 Series
17. Vigor167
18. Vigor130
19. VigorNIC 132
20. Vigor165
21. Vigor166
22. Vigor2135 Series
23. Vigor2765 Series
24. Vigor2766 Series
25. Vigor2832
26. Vigor2865 Series
27. Vigor2865 LTE Series
28. Vigor2866 Series
29. Vigor2866 LTE Series

DrayTek quickly released security updates for the above devices. If you are using the devices listed above, find and download the latest firmware then install to patch the vulnerability.