Research Alert: 704,000 Exposed DrayTek Routers
Summary
- 14 critical vulnerabilities identified in DrayTek products
- Over 704,000 DrayTek routers are exposed to the internet
- The vulnerabilities impact 24 models
- DrayTek has patched the firmware vulnerabilities, however, mitigation is needed
- Recommendation: Ensure all DrayTek devices on your network are patched and employ “DrayTek Mitigation Strategies” additional mitigation strategies
Routers are the unsung heroes of network security. These assets are responsible for keeping internal systems connected to the outside world but are often overlooked.
Until attackers find and exploit their vulnerabilities. And make no mistake, cybercriminals are working around the clock to find the cracks in your routers’ armor, using them as entry points to steal data or cripple business operations. In fact, our 2024 research shows that routers are the riskiest device category across all assets
Why are so many companies ignoring these vulnerabilities?
Recent findings from Forescout Research – Vedere Labs underscore the gravity of the issue with 14 newly identified router vulnerabilities in DrayTek products — including one with the highest possible severity rating. Attackers could gain full control over these routers if left unaddressed – opening the door to ransomware or denial of service attacks. The result? Financial loss, reputational damage and customer mistrust.
DrayTek’s history of vulnerabilities has been in the news. In addition to our findings, the FBI recently announced it had taken down a botnet exploiting three CVEs using DrayTek products. A few weeks earlier, CISA added two DrayTek CVEs to the KEV that are separate from our discoveries.
Here’s a closer look at the impact of the vulnerabilities — with guidance on how to mitigate the risks.
DrayTek Is a Popular Router Company
DrayTek, a Taiwanese networking equipment manufacturer, specializes in the residential and business sectors. Its routers come with advanced features, including VPN, firewalls and bandwidth management. Due to its extensive use across industries, such as healthcare, retail, manufacturing, and government, DrayTek assets have become prime targets for cybercriminals.
The National Vulnerability Database (NVD) reports that DrayTek routers have experienced an increase in critical vulnerabilities over the past few years. Many of these issues enable
Remote Code Execution (RCE), allowing attackers to take control of the devices remotely. This trend has drawn the attention of both criminal hackers and state-sponsored actors, further raising the stakes.
Key Vedere Labs Research Findings
- The highest severity received a CVSS score of 10; another scored 9.1
- Widespread exposure:
- Over 704,000 DrayTek routers are exposed to the internet
- 38% are still vulnerable to similar issues identified two years ago
- 75% of these vulnerable routers are used by businesses
- End-of-Life devices at risk:
- The vulnerabilities impact 24 models
- 11 of which are end-of-life (EoL)
- 63% of the exposed devices are either:
- End-of-sale (EoS) or EoL
- They are difficult to patch and protect
Potential Attack Scenarios
DrayTek products open up many attack opportunities for cybercriminals — especially those with the ‘Web UI’ exposed to the internet. Potential router attack scenarios include:
- Espionage and Data Exfiltration:
- An attacker could deploy a rootkit that survives reboots and updates, allowing them to intercept and analyze network traffic, leading to the theft of sensitive data, such as credentials or other confidential information.
- Lateral Movement:
- Once inside the network, an attacker could move laterally to compromise other devices resulting in ransomware attacks, denial-of-service (DoS), or even the creation of botnets used for distributed attacks.
- Using Routers as C2 Servers:
- High-performance DrayTek models like the Vigor3910 feature advanced hardware capable of being repurposed that could be used as part of command-and-control (C2) servers, where attackers could launch further attacks on other victims.
As part of the responsible disclosure process, DrayTek has patched all the firmware vulnerabilities Vedere Labs . However, mitigation is needed to be performed by organizations with these products on their networks.
DrayTek Mitigation Strategies
The best way to protect against these vulnerabilities is to ensure all affected devices are patched with the latest firmware updates provided by DrayTek. Beyond patching, Forescout recommends the following mitigation strategies:
- Disable Remote Access:
- If remote access is not required, disable it entirely.
- For necessary remote access, implement Access Control Lists (ACL) and two-factor authentication (2FA).
- Monitor for Abnormal Events:
- Enable syslog logging to track unusual activities
- Check regularly for any unauthorized changes to remote access profiles or administrative settings.
- Segment Your Network: Ensure your network is properly segmented so that if an attacker compromises a router, they don’t gain access to the entire network.
- Replace EoL Devices:
- For devices that cannot be patched, consider replacing them.
- Older devices may continue to expose vulnerabilities that are difficult or impossible to fix with software updates.
- Update Passwords: Always change default credentials and use strong, unique passwords for each device in your network.
Vedere Labs – Enables Organizations to Stay One Step Ahead of Attackers
The discovery of these vulnerabilities in DrayTek products highlights the importance of managing network infrastructure and maintaining an organization’s security posture. With more than 700,000 devices exposed online and attackers increasingly targeting routers, organizations must take immediate steps to protect themselves.
By applying the available firmware patches and adopting the recommended mitigation strategies, you can reduce the risks posed by these vulnerabilities and ensure that your network remains secure.
For more technical details and proof-of-concept attacks, read the full research report.