DrayTek on Thursday introduced patches for an unauthenticated distant code execution (RCE) vulnerability affecting DrayOS routers.
Tracked as CVE-2025-10547, the difficulty may be exploited through crafted HTTP or HTTPS requests despatched to a weak gadget’s net consumer interface.
Profitable exploitation of the bug, DrayTek explains in its advisory, might lead to reminiscence corruption and a system crash. In sure circumstances, it may very well be used to execute arbitrary code remotely, it says.
“Routers are shielded from WAN-based assaults if distant entry to the WebUI and SSL VPN companies is disabled, or if Entry Management Lists (ACLs) are correctly configured,” DrayTek notes.
“Nonetheless, an attacker with entry to the native community might nonetheless exploit the vulnerability through the WebUI. Native entry to the WebUI may be managed on some fashions utilizing LAN aspect VLANs and ACLs,” the corporate provides.
The corporate credited ChapsVision security researcher Pierre-Yves Maes for reporting the vulnerability on July 22.
DrayTek has launched firmware updates that tackle the security defect in 35 Vigor router fashions, urging customers to replace their units as quickly as attainable. Nonetheless, it made no point out of the bug being exploited within the wild.
DrayTek units are broadly utilized by prosumers and SMBs, and are identified to be fashionable targets for hackers. Ransomware teams final 12 months hit a whole bunch of organizations by exploiting an unknown flaw in DrayTek routers.
Earlier this 12 months, widespread Vigor router reboots reported throughout the UK, Australia, and different nations had been blamed on doubtlessly malicious TCP connection makes an attempt focusing on older fashions.
