Tens of thousands of DrayTek routers, including those commonly used by businesses and government agencies, have been found to be at a heightened risk of attack due to the discovery of 14 new firmware vulnerabilities. These vulnerabilities pose serious threats, including denial-of-service attacks, remote code execution, and the ability to inject and execute malicious code into webpages and browsers of users who visit compromised websites.
Among the newly discovered vulnerabilities, two are critical and require immediate attention. These include a maximum-severity remote code execution bug in the Web UI component of DrayTek routers and an OS command execution/VM escape vulnerability with a CVSS severity score of 9.1. Nine of the vulnerabilities are considered medium-severity threats, with three being relatively low-severity flaws. The vulnerabilities have been found in 24 different models of DrayTek routers.
The vulnerabilities were discovered by researchers at Forescout’s Vedere Labs during an investigation of DrayTek routers. The investigation was prompted by signs of consistent attack activity targeting the routers, as well as a recent increase in vulnerabilities affecting the technology. The researchers found over 704,000 Internet-exposed DrayTek routers, predominantly in Europe and Asia, many of which are likely to contain the newly discovered vulnerabilities.
According to a report from Forescout, since 75% of the affected routers are used in commercial settings, the potential implications for business continuity and reputation are severe. A successful attack could result in significant downtime, loss of customer trust, and regulatory penalties. The report also emphasized the importance of organizations taking a proactive security approach to mitigate the risks associated with these vulnerabilities.
While DrayTek has issued patches for all the vulnerabilities through various firmware updates, organizations are advised not to rely solely on patches. Daniel dos Santos, the head of security research at Forescout Vedere Labs, suggests implementing longer-term mitigation measures to reduce the risk of similar vulnerabilities in the future. Proactive security measures can ensure that organizations are better protected against potential threats.
Attackers may find it relatively easy to identify DrayTek routers that are vulnerable using search engines such as Shodan or Censys. However, exploitation of these vulnerabilities may be challenging without a detailed working proof-of-concept. Forescout and DrayTek have recommended several mitigations, including disabling remote access when not needed, verifying remote access profiles, enabling system logging, and using secure protocols like HTTPS.
The discovery of these vulnerabilities comes amid growing threat actor activity targeting vulnerabilities in routers and network devices from various vendors, including DrayTek. The FBI, US National Security Agency, and Cyber National Mission Force have warned of threat actors compromising routers and IoT devices for botnet operations. The Cybersecurity and Infrastructure Security Agency highlighted active exploitation of DrayTek vulnerabilities in a recent advisory, emphasizing the importance of timely patching to protect networks.
Despite the availability of patches, many organizations appear to be slow in addressing critical vulnerabilities in DrayTek products. Forescout’s report revealed numerous vulnerabilities dating back to 2020, with significant severity scores. The lack of visibility into unmanaged devices like routers poses challenges for organizations in identifying and patching vulnerabilities in a timely manner.
To protect against potential attacks targeting DrayTek routers, organizations are advised to implement recommended mitigations, ensure proper network visibility, change default configurations, replace end-of-life devices, and segment their networks. By taking a proactive approach to security and staying informed about emerging threats, organizations can better safeguard their networks and mitigate the risks associated with these vulnerabilities.