Ddos 
A newly disclosed vulnerability in DrayTek’s Vigor routers, tracked as CVE-2025-10547, could allow remote attackers to execute arbitrary code and gain full control of affected devices. The flaw, rated CVSS 8.8 (High), affects multiple Vigor router models and can be exploited through either the LAN web interface or EasyVPN, according to a vulnerability note published by CERT/CC.
The CERT/CC note describes CVE-2025-10547 as a remote code execution (RCE) vulnerability originating in the LAN web administration interface. Specifically, “a script in the LAN web administration interface uses an uninitialized variable, allowing an attacker to send specially crafted HTTP requests that cause memory corruption and potentially allow arbitrary code execution.”
In simpler terms, this means that attackers can manipulate the router’s memory by sending malicious HTTP requests, leading to system hijacking or code injection.
DrayTek’s Vigor routers, which are popular among small and medium-sized businesses, run on DrayOS—a proprietary firmware that includes EasyVPN and a LAN Web Administrator for configuration and management. These features are designed for convenience but, in this case, have opened a dangerous attack vector.
According to CERT/CC, “a remote, unauthenticated attacker can exploit this vulnerability through accessing the LAN interface—or potentially the WAN interface—if EasyVPN is enabled or remote administration over the internet is activated.”
In other words, if EasyVPN or remote management features are turned on, attackers don’t even need credentials to exploit the flaw from the internet.
If successfully exploited, attackers can execute arbitrary code on the router and gain root-level access. Once inside, they can install backdoors, modify configurations, or use the router as a staging ground for further attacks within the network.
As CERT/CC warns, “A successful attack could result in an attacker gaining root access to a Vigor router to then install backdoors, reconfigure network settings, or block traffic. An attacker may also pivot for lateral movement via intercepting internal communications and bypassing VPNs.”
This level of control means the attacker effectively owns the device and the network it protects—making CVE-2025-10547 a particularly severe threat in business environments.
The DrayTek Security Team has released patches for all affected models and urges users to update immediately. Firmware updates are now available for dozens of Vigor router models, including the Vigor1000B, 2962, 3910, 3912, 2135, 2763, 2765, 2865, 2866, 2927, 2915, and older series such as 2860 and 2925, among others.
For most modern models (such as the Vigor2135, Vigor2865 Series, and Vigor2927 Series), firmware version 4.5.1 or later fixes the vulnerability. Older models require firmware versions between 3.9.8.6 and 3.9.9.12, depending on the model line.
DrayTek’s official guidance, including direct firmware download links, is available in the company’s knowledge base article.
Related Posts:
- Massive Ransomware Campaign Targets DrayTek Routers
- Critical Flaws Uncovered in DrayTek Routers: Backdoors, RCE, and Weak Authentication Exposed
- CISA Flags Actively Exploited Vulnerabilities in Chrome, SAP, and DrayTek Routers
- CISA Issues Alert: Three Actively Exploited Vulnerabilities Demand Immediate Attention
- Mass Reboots and Exploit Attempts Plague DrayTek Routers Across the Globe
Donate