do son 
Image: DrayTek
Recent reports have highlighted widespread issues with DrayTek routers, including numerous reboots in the UK and Australia, and similar problems in Germany, Vietnam, and other countries. According to GreyNoise, there’s increasing evidence of in-the-wild exploitation attempts targeting known vulnerabilities in DrayTek devices.
ISPreview has been closely monitoring the situation in the UK, where numerous broadband providers have reported significant disruptions due to DrayTek devices constantly rebooting. DrayTek has acknowledged these issues and released an advisory urging customers to disconnect their WAN and update their device’s firmware. However, the advisory only suggests that the firmware updates are needed to address a vulnerability, but does not provide specific information on the exploited flaw or clearly attribute the reboots to malicious actors.
GreyNoise is drawing attention to observed in-the-wild activity targeting several known DrayTek vulnerabilities. The report states: “Following reports of widespread reboots affecting DrayTek routers globally, GreyNoise is bringing awareness to in-the-wild activity against several known vulnerabilities in DrayTek devices. While we cannot confirm a direct connection between this activity and the reported reboots, we are surfacing this data to help defenders monitor and respond accordingly.”
GreyNoise has observed in-the-wild activity against the following CVEs:
- CVE-2020-8515: A remote code execution vulnerability in multiple DrayTek router models.
- CVE-2021-20123: A directory traversal vulnerability in DrayTek VigorConnect.
- CVE-2021-20124: A second directory traversal vulnerability in DrayTek VigorConnect.
GreyNoise’s analysis of the past 45 days reveals ongoing exploitation attempts.
- CVE-2020-8515 (Remote Code Execution): While there has been no activity in the past 24 hours, GreyNoise observed 82 IPs attempting to exploit this vulnerability in the past 30 days. Top destination countries for these attempts include Indonesia, Hong Kong, and the United States.
- CVE-2021-20123 & CVE-2021-20124 (Directory Traversal): There has been activity targeting these vulnerabilities in the past 24 hours. GreyNoise observed 23 IPs exploiting CVE-2021-20123 and 22 IPs exploiting CVE-2021-20124 in the past 30 days. Top destination countries for these exploits include Lithuania, the United States, and Singapore.
While a definitive link between the observed exploitation attempts and the widespread DrayTek router reboots hasn’t been established, the GreyNoise report indicates a clear and present danger. Network defenders should closely monitor their systems for any activity related to the CVEs mentioned in the report and take appropriate action to mitigate potential threats. It is crucial for DrayTek users to follow the vendor’s recommendations and ensure their devices are updated with the latest firmware.
