Security researchers Treillx recently published an article detailing a vulnerability they discovered in the firmware of 29 DrayTek router models that provides attackers with the ability to perform Remote Code Execution (RCE) on the devices with no preconditions or user interaction, assessing it as having a likely security score of 10/10 (tracked as CVE-2022-32548).
Trellix responsibly disclosed they vulnerability and DrayTek have already released updated firmware but it is down to users to update their devices. This is particularly concerning because DrayTek devices are typically used by SMBs in SOHO (Small Office, Home Office) environments where proactive monitoring for threats and management of devices isn’t affordable or a priority.
This comes at a time when state sponsored attackers are targeting SOHO devices in sophisticated campaigns as highlighted by the ZuoRAT malware discovered by Lumen: https://blog.lumen.com/zuorat-hijacks-soho-routers-to-silently-stalk-networks/?utm_source=referral&utm_medium=press+release
Vulnerable Devices
The following devices and firmware versions are confirmed as vulnerable to the attack:
DrayTek Vigor 3910 < 4.3.1.1
DrayTek Vigor 1000B < 4.3.1.1
DrayTek Vigor 2962 Series < 4.3.1.1
DrayTek Vigor 2927 Series < 4.4.0
DrayTek Vigor 2927 LTE Series < 4.4.0
DrayTek Vigor 2915 Series < 4.3.3.2
DrayTek Vigor 2952 / 2952P < 3.9.7.2
DrayTek Vigor 3220 Series < 3.9.7.2
DrayTek Vigor 2926 Series < 3.9.8.1
DrayTek Vigor 2926 LTE Series < 3.9.8.1
DrayTek Vigor 2862 Series < 3.9.8.1
DrayTek Vigor 2862 LTE Series < 3.9.8.1
DrayTek Vigor 2620 LTE Series < 3.9.8.1
DrayTek Vigor LTE 200n < 3.9.8.1
DrayTek Vigor 2133 Series < 3.9.6.4
DrayTek Vigor 2762 Series < 3.9.6.4
DrayTek Vigor 165 < 4.2.4
DrayTek Vigor 166 < 4.2.4
DrayTek Vigor 2135 Series < 4.4.2
DrayTek Vigor 2765 Series < 4.4.2
DrayTek Vigor 2766 Series < 4.4.2
DrayTek Vigor 2832 < 3.9.6
DrayTek Vigor 2865 Series < 4.4.0
DrayTek Vigor 2865 LTE Series < 4.4.0
DrayTek Vigor 2866 Series < 4.4.0
DrayTek Vigor 2866 LTE Series < 4.4.0
Mitigation
All owners of vulnerable devices should update their firmware to the latest one provided by DrayTek (available here: https://www.draytek.com/support/latest-firmwares/)