Researchers at Trellix have discovered a critical unauthenticated remote code execution (RCE) vulnerability impacting 29 models of the DrayTek Vigor series of business routers.
The vulnerability is tracked as CVE-2022-32548 and carries a maximum CVSS v3 severity score of 10.0, categorizing it as critical.
DrayTek Vigor 3910 and 28 other router models are vulnerable to the discovered RCE flaw.
The compromise of a network appliance such as the Vigor 3910 router could lead to a leak of the sensitive data stored on the router, access to the internal resources, a man in the middle of the network traffic, botnet activity, and packet capture of the data going through any port of the router, among other things.
DrayTek released the patch less than thirty days after the vulnerability disclosure.
There have been no signs of CVE-2022-32548, but as CISA reported recently, SOHO routers are always in the crosshair of state-sponsored APTs from China and elsewhere.
- Leak of the sensitive data stored on the router (keys, administrative passwords, etc.)
- Access to the internal resources located on the LAN that would normally require VPN-access or be present “on the same network”
- Man in the middle of the network traffic
- Spying on DNS requests and other unencrypted traffic directed to the internet from the LAN through the router
- Packet capture of the data going through any port of the router
- Botnet activity (DDoS, hosting malicious data, etc.)
The vulnerable models DrayTek are the following:
- Vigor2962 Series
- Vigor2927 Series
- Vigor2927 LTE Series
- Vigor2915 Series
- Vigor2952 / 2952P
- Vigor3220 Series
- Vigor2926 Series
- Vigor2926 LTE Series
- Vigor2862 Series
- Vigor2862 LTE Series
- Vigor2620 LTE Series
- VigorLTE 200n
- Vigor2133 Series
- Vigor2762 Series
- VigorNIC 132
- Vigor2135 Series
- Vigor2765 Series
- Vigor2766 Series
- Vigor2865 Series
- Vigor2865 LTE Series
- Vigor2866 Series
- Vigor2866 LTE Series