The Research team at the Trellix Threat Labs has discovered a critical unauthenticated remote code execution vulnerability impacting 29 models of the DrayTek Vigor series of business routers. The vulnerability, tracked as CVE-2022-32548 carries a maximum CVSS v3 severity score of 10.0 and could lead to complete device takeover enabling a malicious actor to access internal resources of the breached networks.
A full list of all 29 affected DrayTek Vigor models can be found on Trellix's story page. The vulnerability is due to a buffer overflow on the login page of the web management interface. The attack can be performed without user interaction or the need for credentials. By default, a one-click attack is viable via the LAN. If the management interface of the device has been configured to be internet-facing, it may also be reachable via the internet.
Update Vulnerable DrayTek Vigor Routers
DrayTek has already released a patch for all affected models, which you can find in their firmware update center. If your organization is using any DrayTek devices, it is recommended that you apply the patch as soon as possible. All at-risk models of DrayTek Vigor are listed below as well as on Trellix's story page.
|Vulnerable Devices||Fixed Version|
|Vigor2927 LTE Series||4.4.0|
|Vigor2952 / 2952P||18.104.22.168|
|Vigor2926 LTE Series||22.214.171.124|
|Vigor2862 LTE Series||126.96.36.199|
|Vigor2620 LTE Series||188.8.131.52|
|Vigor2865 LTE Series||4.4.0|
|Vigor2866 LTE Series||4.4.0|
Discover Vulnerable Devices
Based on the list of affected models shared by Trellix, we have created a special Lansweeper report that will provide a list of all devices in your environment that could be affected by the vulnerability. This way you have an actionable list of devices that might require a patch.