DrayTek, a manufacturer of networking hardware, disclosed a critical security vulnerability (CVE-2025-10547) in multiple Vigor router models, allowing remote, unauthenticated attackers to execute arbitrary code via crafted HTTP/HTTPS requests to the WebUI. The flaw stems from an uninitialized stack value, enabling memory corruption, system crashes, or remote code execution (RCE). While no active exploitation is reported, the vulnerability exposes both WAN (if remote WebUI/SSL VPN is enabled) and LAN to potential attacks. Affected models span prosumer and SMB environments, including legacy and flagship devices. DrayTek urged administrators to apply firmware updates immediately to mitigate risks. The researcher, Pierre-Yves Maes, confirmed exploitability and plans to disclose full technical details, increasing the likelihood of future attacks if left unpatched. The impact could range from device compromise to lateral network infiltration, posing significant risks to businesses relying on these routers for connectivity and security.
TPRM report: https://www.rankiteo.com/company/draytek-corp-
"id": "dra4892048100225",
"linkid": "draytek-corp-",
"type": "Vulnerability",
"date": "6/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Prosumer and Small to Medium '
'Business (SMB) environments',
'industry': 'Networking Hardware',
'name': 'DrayTek',
'type': 'Manufacturer'}],
'attack_vector': ['Network',
'Unauthenticated Remote Access',
'Crafted HTTP/HTTPS Requests'],
'customer_advisories': ['Firmware update notifications'],
'date_detected': '2025-07-22',
'description': 'Networking hardware maker DrayTek released an advisory '
'warning about a security vulnerability (CVE-2025-10547) in '
'several Vigor router models. The flaw allows remote, '
'unauthenticated actors to execute arbitrary code via crafted '
"HTTP/HTTPS requests to the device's Web User Interface "
'(WebUI). Successful exploitation may cause memory corruption, '
'system crashes, or remote code execution (RCE). The root '
'cause is an uninitialized stack value enabling arbitrary '
'free() operations. DrayTek recommends firmware updates to '
'mitigate the risk, though no ongoing exploitation is '
'reported.',
'impact': {'brand_reputation_impact': 'Moderate (public vulnerability '
'disclosure)',
'downtime': 'Potential system crashes leading to downtime',
'operational_impact': 'High (RCE risk in prosumer/SMB '
'environments)',
'systems_affected': ['Vigor1000B',
'Vigor2962',
'Vigor3910/3912',
'Vigor2135',
'Vigor2763/2765/2766',
'Vigor2865/2866 Series (incl. LTE & 5G)',
'Vigor2927 Series (incl. LTE & 5G)',
'Vigor2915 Series',
'Vigor2862/2926 Series (incl. LTE)',
'Vigor2952/2952P',
'Vigor3220',
'Vigor2860/2925 Series (incl. LTE)',
'Vigor2133/2762/2832 Series',
'Vigor2620 Series',
'VigorLTE 200n']},
'initial_access_broker': {'entry_point': 'Web User Interface (WebUI) via '
'HTTP/HTTPS'},
'investigation_status': 'Ongoing (technical details to be disclosed by '
'researcher)',
'post_incident_analysis': {'corrective_actions': ['Firmware patches',
'Access restrictions '
'(ACLs/VLANs)'],
'root_causes': ['Uninitialized stack value '
'enabling arbitrary free() '
'operations']},
'recommendations': ['Apply firmware updates immediately',
'Disable remote WebUI/SSL VPN access if not required',
'Restrict WebUI access via ACLs/VLANs',
'Monitor for exploitation attempts'],
'references': [{'source': 'DrayTek Security Advisory'},
{'source': 'BleepingComputer'},
{'source': 'ChapsVision Researcher Pierre-Yves Maes'}],
'response': {'communication_strategy': ['Public security advisory',
'Firmware update recommendations'],
'containment_measures': ['Disable remote WebUI/SSL VPN access',
'Restrict access with ACLs/VLANs',
'Limit exposure to LAN-only (local '
'attackers still possible)'],
'network_segmentation': ['ACLs', 'VLANs'],
'remediation_measures': ['Firmware updates to patched versions '
'(model-specific)',
'Vigor1000B, Vigor2962, Vigor3910/3912 '
'→ 4.4.3.6 or later (some 4.4.5.1)',
'Vigor2135, Vigor2763/2765/2766, '
'Vigor2865/2866 Series (incl. LTE & '
'5G), Vigor2927 Series (incl. LTE & 5G) '
'→ 4.5.1 or later',
'Vigor2915 Series → 4.4.6.1 or later',
'Vigor2862/2926 Series (incl. LTE) → '
'3.9.9.12 or later',
'Vigor2952/2952P, Vigor3220 → 3.9.8.8 '
'or later',
'Vigor2860/2925 Series (incl. LTE) → '
'3.9.8.6 or later',
'Vigor2133/2762/2832 Series → 3.9.9.4 '
'or later',
'Vigor2620 Series → 3.9.9.5 or later',
'VigorLTE 200n → 3.9.9.3 or later'],
'third_party_assistance': ['ChapsVision (Security Researcher '
'Pierre-Yves Maes)']},
'stakeholder_advisories': ['Public security bulletin'],
'title': 'DrayTek Vigor Router Remote Code Execution Vulnerability '
'(CVE-2025-10547)',
'type': ['Vulnerability', 'Remote Code Execution (RCE)', 'Memory Corruption'],
'vulnerability_exploited': 'CVE-2025-10547 (Uninitialized Stack Value Leading '
'to Arbitrary Free)'}