A total of 14 new vulnerabilities, including a critical remote code execution (RCE) flaw with a perfect 10/10 CVSS severity rating, have been discovered in DrayTek Vigor routers. The flaw could allow hijacking, data stealing, ransomware deployment, and denial of service (DoS) attacks, according to Forescout Research's Vedere Labs.
Over 785,000 DrayTek routers operate worldwide, with more than 704,000 exposing their web interfaces to the Internet, making them susceptible to remote exploitation. Businesses utilize 75% of these vulnerable devices.
The majority of vulnerabilities are located in the routers' web-based user interface, exposing them to potential attacks if accessible via local networks or public internet.
Notably, CVE-2024-41592, a buffer overflow bug, and CVE-2024-41585, an OS command injection vulnerability, are particularly dangerous, allowing attackers to gain remote, root access to the host OS.
Despite some models being end-of-life and end-of-sale, DrayTek has provided patches for all fourteen CVEs. Users are advised to disable unnecessary remote access, enable two-factor authentication, and use access control lists to limit exposure.
Implementing network segmentation, using strong passwords, and continuously monitoring devices are recommended best practices.
The vulnerabilities have been actively exploited by threat actors, including nation-state actors such as Chinese APTs. Recent reports from the FBI and CISA mention significant exploitation, including the creation of a botnet involving 260,000 devices.
Vedere Labs has demonstrated a proof-of-concept exploit that combines CVE-2024-41592 and CVE-2024-41585 to enable full control of affected systems via remote access. Their research underscores the potential for various criminal activities to exploit these vulnerabilities.
Black Lotus Labs’ cybersecurity experts discovered in May that a 2023 cyberattack destroyed 600,000 routers from Sagemcom and ActionTec in the U.S. The unknown threat actors targeted devices belonging to a single internet service provider in the US telecommunications sector, and commodity RAT identified as Chalubo was the primary payload responsible.