A significant security flaw has been identified in DrayTek’s DrayOS routers, potentially enabling unauthenticated remote attackers to execute arbitrary code. This vulnerability, designated as CVE-2025-10547, affects a broad spectrum of Vigor router models, necessitating immediate firmware updates from administrators to mitigate potential risks.
Understanding the Vulnerability
The issue, detailed in DrayTek’s security advisory DSA-2025-005 released on October 2, 2025, is categorized as a Use of Uninitialized Variable weakness. Attackers can exploit this flaw by sending specially crafted HTTP or HTTPS requests to the router’s Web User Interface (WebUI). Successful exploitation may result in memory corruption, leading to system crashes. More alarmingly, under specific conditions, this memory corruption can be leveraged to achieve remote code execution (RCE), granting attackers control over the compromised device.
Scope of Impact
The vulnerability impacts a wide array of DrayTek’s Vigor router series, including but not limited to:
– Vigor1000B
– Vigor2962
– Vigor3910
– Vigor3912
– Vigor2135
– Various models within the Vigor276x, Vigor286x, Vigor291x, Vigor292x, and Vigor295x series
Given the widespread deployment of these routers in business environments, the potential for exploitation is substantial.
Mitigation Strategies
DrayTek has outlined several measures to protect against this vulnerability:
1. Disable Remote Access: Immediately disable remote access to the WebUI and SSL VPN services from the WAN to prevent external attacks.
2. Configure Access Control Lists (ACLs): Properly set up ACLs to restrict unauthorized access from the internet.
3. Segment Local Access: For some models, utilize VLANs and additional ACLs to control local network access.
While these steps can reduce the risk, they do not offer complete protection. An attacker with local network access can still exploit the vulnerability through the LAN-side WebUI. Therefore, DrayTek strongly recommends upgrading the device firmware to the latest patched version as the definitive solution.
Firmware Updates
DrayTek has released specific firmware updates for each affected product line. For instance:
– Vigor2962 Series: Upgrade to version 4.4.3.6 or 4.4.5.1
– Vigor2865 Series: Upgrade to version 4.5.1 or later
Users are urged to consult the official advisory for a comprehensive list of affected models and their corresponding minimum firmware versions.
Acknowledgment
DrayTek has expressed gratitude to Pierre-Yves MAES from ChapsVision for responsibly disclosing the vulnerability, allowing for timely mitigation efforts.
Conclusion
The discovery of CVE-2025-10547 underscores the critical importance of regular firmware updates and vigilant network security practices. Administrators are advised to apply the recommended firmware patches immediately to safeguard their networks against potential exploitation.
