Researchers at Trellix have discovered a critical unauthenticated remote code execution (RCE) vulnerability impacting 29 models of the DrayTek Vigor series of business routers.
The vulnerability is tracked as CVE-2022-32548 and carries a maximum CVSS v3 severity score of 10.0, categorizing it as critical.
The attacker does not need credentials or user interaction to exploit the vulnerability, with the default device configuration making the attack viable via the internet and LAN.
Hackers who exploit this vulnerability could potentially perform the following actions:
complete device takeover,
laying the ground for stealthy man-in-the-middle attacks,
changing DNS settings,
using the routers as DDoS or cryptominer bots,
or pivoting to devices connected to the breached network.
DrayTek Vigor devices became very popular during the pandemic by riding the “work from home” wave. They are excellent cost-efficient products for VPN access to small and medium-sized business networks.
A Shodan search returned over 700,000 online devices, most located in the UK, Vietnam, Netherlands, and Australia.
Trellix decided to evaluate the security of one of DrayTek’s flagship models due to its popularity and found that the web management interface suffers from a buffer overflow issue on the login page.
Using a specially crafted pair of credentials as base64 encoded strings in the login fields, one can trigger the flaw and take control of the device’s OS.
The researchers found at least 200,000 of the detected routers to expose the vulnerable service on the internet and hence are readily exploitable without user interaction or any other special prerequisites.
Of the remaining 500,000, many are also believed to be exploitable using one-click attacks, but only via LAN, so the attack surface is smaller.
The vulnerable models are the following:
Vigor2927 LTE Series
Vigor2952 / 2952P
Vigor2926 LTE Series
Vigor2862 LTE Series
Vigor2620 LTE Series
Vigor2865 LTE Series
Vigor2866 LTE Series
DreyTek quickly released security updates for all models mentioned above, so navigate to the vendor’s firmware update center and locate the latest version for your model.
For information on performing the firmware update on your router, check out this guide by DreyTek.
There have been no signs of CVE-2022-32548, but as CISA reported recently, SOHO routers are always in the crosshair of state-sponsored APTs from China and elsewhere.