Finding DrayTek Vigor routers
The Trellix Threat Labs Vulnerability Research team recently published vulnerability details affecting almost 30 models of DrayTek Vigor routers. This vulnerability resides in the management interface login page and is trivial to exploit via buffer overflow. An unauthenticated attacker can easily gain control over vulnerable Vigor devices, doing so remotely if the management interface is exposed to the Internet.
What is the impact? #
Tracked as CVE-2022-32548 with a CVSS “critical” maximum score of 10, successful attackers can potentially leverage device control to execute code, establish a foothold on the network for further exploration, exfiltrate sensitive data, add the device to a botnet, and more. Trellix researchers found over 200k vulnerable Vigor devices with management interfaces exposed to the Internet, putting them at risk of remote exploitation. Even with external access to the management interface disabled, vulnerable devices are still susceptible to exploitation via the local network.
Are updates available? #
DrayTek has provided patched firmware for affected Vigor devices. Admins should ensure that affected models are updated to the latest firmware version. The Trellix research team also provided additional mitigation recommendations, including disabling public-facing access to the management interface (see Recommendations).
How do I find DrayTek Vigor routers with runZero? #
From the Asset Inventory, use the following pre-built query to locate DrayTek Vigor assets that may need remediation:
hw:"DrayTek Vigor"

As always, any prebuilt queries are available from our Queries Library. Check out the library for other useful inventory queries.
Get runZero for free
Don’t have runZero and need help finding potentially vulnerable DrayTek Vigor assets?
Start your runZero trial

Pearce Barry is a Director of Security Research at runZero. Barry joined runZero in June 2021, working on the Metasploit Project the four years prior. Now, Pearce leads research efforts at runZero, which includes creating and improving fingerprints, adding to protocols, enhancing scanning logic, and writing queries.
Similar Content
November 9, 2023
How to find SysAid Help Desk instances
How to find SysAid Help Desk instances # On the evening of November 8th Microsoft Threat Intelligence announced that they had discovered attacks by a ransomware gang against the SysAid Help Desk software using a zero-day exploit (CVE-2023-47246). These attacks leveraged a …
Read MoreNovember 1, 2023
How to find Apache ActiveMQ instances
How to find Apache ActiveMQ® instances # On October 25th the Apache team announced a vulnerability (CVE-2023-46604) in ActiveMQ that could lead to unauthenticated remote code execution. Shortly after the issue was disclosed exploits started to appear and the Rapid7 MDR team …
Read MoreOctober 30, 2023
Finding NGINX Ingress Controllers with runZero
Today, three vulnerabilities in the NGINX Ingress Controller for Kubernetes were disclosed, as described in this article from The Hacker News. These vulnerabilities have CVSS scores ranging from 7.6 to 8.8; all of these scores are considered high. These vulnerabilities have …
Read More