In recent days, a significant number of DrayTek routers have been compromised, leading to widespread connectivity issues and continuous reboot loops for users across the globe. Internet service providers (ISPs) in countries such as the United Kingdom, Australia, Vietnam, and Germany have reported these disruptions, which began around March 22, 2025. The root cause has been traced back to the exploitation of known vulnerabilities within DrayTek’s router firmware.
Global Impact and ISP Responses
Users have experienced intermittent connectivity losses and routers entering persistent reboot cycles. UK-based ISPs, including Gamma, Zen Internet, ICUK, and Andrews & Arnold, have acknowledged these issues. ICUK, for instance, advised customers: “The cause has been narrowed down to vulnerable firmware versions on DrayTek routers. If you are seeing broadband circuits exhibiting repeat short sessions, please upgrade the firmware to the latest version.”
Exploitation of Known Vulnerabilities
Security intelligence firm GreyNoise has observed active exploitation attempts targeting specific DrayTek vulnerabilities over the past 45 days:
– CVE-2020-8515: A remote code execution vulnerability affecting multiple DrayTek router models. Although no activity has been detected in the past 24 hours, 82 unique IP addresses exploited this vulnerability in the past month.
– CVE-2021-20123 and CVE-2021-20124: Directory traversal vulnerabilities in DrayTek VigorConnect. Both have shown active exploitation within the last 24 hours, with 23 and 22 unique attacking IP addresses recorded, respectively.
The most targeted countries include Lithuania, the United States, and Singapore.
User Experiences and Reports
The impact has been substantial across various sectors. In Thu Duc, Ho Chi Minh City, an Internet cafĂ© owner reported that since March 23, “the network has been intermittently unstable despite multiple device restarts.” Another user in Ho Chi Minh City, utilizing a DrayTek Vigor 2925, noted that their “IP camera repeatedly lost connection,” and their router management page showed “uptime reset to zero every five minutes.”
Recommended Mitigation Steps
DrayTek has issued guidance for affected users, recommending immediate actions:
– Firmware Update: Disconnect the WAN and upgrade to the latest firmware version.
– Disable Remote Management and SSL VPN Service: To prevent unauthorized access.
– Implement Access Control Lists (ACLs): To restrict access to trusted devices.
– Enable Two-Factor Authentication: Where available, to enhance security.
– Monitor System Alerts and Notifications: To detect and respond to potential threats promptly.
Historical Context and Ongoing Threats
This incident follows Forescout Technologies’ October 2024 findings, which identified 14 previously unknown vulnerabilities in DrayTek routers, including one with the highest possible severity rating of 10. These vulnerabilities have made DrayTek devices attractive targets for cybercriminals.
Security researchers continue to monitor the situation, with GreyNoise tracking exploit attempts in real-time. Network administrators using DrayTek equipment are strongly advised to implement the recommended mitigations immediately to safeguard their networks against these ongoing threats.
