Critical DrayTek Router Flaw Allows Remote Code Execution
▼ Summary
– DrayTek has released patches for an unauthenticated remote code execution vulnerability (CVE-2025-10547) affecting its DrayOS routers.
– The flaw can be exploited via crafted HTTP or HTTPS requests to the router’s web interface, potentially causing memory corruption or arbitrary code execution.
– Routers are protected from WAN-based attacks if remote access to web services is disabled, but local network attackers can still exploit the vulnerability.
– Firmware updates addressing the issue are available for 35 Vigor router models, and users are urged to update immediately.
– The vulnerability was reported by researcher Pierre-Yves Maes, and DrayTek devices are known targets for hackers, though no current exploitation was mentioned.
A recently discovered security flaw in DrayTek routers presents a serious threat, allowing attackers to execute commands remotely without requiring authentication. Tracked as CVE-2025-10547, this vulnerability enables malicious actors to send specially crafted HTTP or HTTPS requests directly to the device’s web interface. DrayTek’s official advisory warns that exploiting this defect could corrupt memory, crash the system, and under specific conditions, permit unauthorized remote code execution.
The company emphasizes that routers remain protected from internet-based attacks when remote access to the Web User Interface and SSL VPN services is turned off, or when Access Control Lists are correctly set up. However, an attacker already present on the local network could still leverage the vulnerability through the WebUI. On certain router models, administrators can manage local WebUI access using LAN-side VLANs and ACL configurations to limit exposure.
Security researcher Pierre-Yves Maes from ChapsVision responsibly disclosed the vulnerability to DrayTek on July 22. In response, DrayTek has issued firmware updates to resolve the security issue across 35 different Vigor router models. The company strongly advises all users to install these updates promptly. At this time, there is no evidence indicating active exploitation of this vulnerability in real-world attacks.
DrayTek networking equipment sees widespread adoption among prosumers and small to medium-sized businesses, making these devices attractive targets for cybercriminals. Last year, ransomware operators successfully compromised hundreds of organizations by leveraging an unidentified weakness in DrayTek routers.
Earlier this year, users in the United Kingdom, Australia, and other nations reported widespread, unexpected router reboots affecting Vigor models. These incidents were later attributed to potentially malicious TCP connection attempts directed at older hardware versions.
![Image: A network security concept showing a router with a shield icon representing protection]
Organizations recently received warnings about active exploitation of a separate vulnerability in Meteobridge products. In other security news, Broadcom faced criticism for not disclosing known zero-day exploitation affecting its VMware products. Meanwhile, Cisco released patches for a zero-day vulnerability impacting its routers and switches, and researchers identified security flaws exposing Helmholz industrial routers to potential hacking attempts.
(Source: Security Week)
