Latest DrayTek Vigor router vulnerability #
A previously disclosed vulnerability (CVE-2024-12987), has recently been confirmed to be under active exploitation in the wild.
This vulnerability, with a CVSS score of 7.5 (high), would allow a remote, unauthenticated attacker to inject arbitrary commands to be run on the underlying operating system of DrayTek Vigor2960 and Vigor300B routers.
This vulnerability has been designated CVE-2025-2567 and has been assigned a CVSS score of 9.8 (critical).
What is the impact? #
Successful exploitation of this vulnerability would allow an attacker to execute arbitrary commands on vulnerable routers, allowing them to take complete control of affected devices.
Are any updates or workarounds available? #
DrayTek has released an updated version of the affected firmware, and advises all users to upgrade immediately.
How do I find vulnerable DrayTek Vigor routers with runZero? #
From the Asset Inventory, use the following query to locate vulnerable DrayTek Vigor assets:
(hw:"DrayTek Vigor2960" OR hw:"DrayTek Vigor300b" OR hw:"DrayTek Vigor 2960" OR hw:"DrayTek Vigor 300b") AND osversion:<"1.5.1.5"Previous DrayTek Vigor router vulnerability (CVE-2022-32548) #
The Trellix Threat Labs Vulnerability Research team recently published vulnerability details affecting almost 30 models of DrayTek Vigor routers. This vulnerability resides in the management interface login page and is trivial to exploit via buffer overflow. An unauthenticated attacker can easily gain control over vulnerable Vigor devices, doing so remotely if the management interface is exposed to the Internet.
What is the impact? #
Tracked as CVE-2022-32548 with a CVSS “critical” maximum score of 10, successful attackers can potentially leverage device control to execute code, establish a foothold on the network for further exploration, exfiltrate sensitive data, add the device to a botnet, and more. Trellix researchers found over 200k vulnerable Vigor devices with management interfaces exposed to the Internet, putting them at risk of remote exploitation. Even with external access to the management interface disabled, vulnerable devices are still susceptible to exploitation via the local network.
Are updates available? #
DrayTek has provided patched firmware for affected Vigor devices. Admins should ensure that affected models are updated to the latest firmware version. The Trellix research team also provided additional mitigation recommendations, including disabling public-facing access to the management interface (see Recommendations).
How do I find DrayTek Vigor routers with runZero? #
From the Asset Inventory, use the following pre-built query to locate DrayTek Vigor assets that may need remediation:
hw:"DrayTek Vigor"
As always, any prebuilt queries are available from our Queries Library. Check out the library for other useful inventory queries.
