You have4 free articles left this month.
Register for a free account to access unlimited free content.
You have 4 free articles left this month.
Register for a free account to access unlimited free content.
Powered by MOMENTUM MEDIA
lawyers weekly logo

Powered by MOMENTUMMEDIA

Breaking news and updates daily. Subscribe to our Newsletter
Advertisement

Active exploitation of DrayTek router vulnerabilities underway in the wild

As DrayTek routers around the world randomly reboot for no apparent reason, security researchers have spotted hackers actively exploiting a trio of vulnerabilities in the popular router brand.

Active exploitation of DrayTek router vulnerabilities underway in the wild
expand image

Researchers at threat intelligence firm GreyNoise recently warned that hackers have been observed taking advantage of three known vulnerabilities in DrayTek routers.

The malicious activity, which appears to be global in its extent, comes at the same time that many DrayTek customers are reporting that their routers are randomly rebooting without any apparent cause.

According to DrayTek, the best solution is to disconnect the device and upgrade to the latest firmware if possible. The company also suggests turning off remote access unless absolutely necessary and using an access control list otherwise, suggesting some external factor may be at play – something that DrayTek does not elaborate on.

DrayTek also suggests simply buying a new router if the current model is too old.

The random reboots were first reported a few days ago on Reddit, with DrayTek addressing the issue on 24 March. A day later, on 25 March, GreyNoise reported that it was observing active exploitation of three vulnerabilities:

  • CVE-2020-8515 – a remote code execution vulnerability in multiple DrayTek router models.
  • CVE-2021-20123 – a directory traversal vulnerability in DrayTek VigorConnect.
  • CVE-2021-20124 – another directory traversal vulnerability in DrayTek VigorConnect.

GreyNoise did admit, however, that it could not see a connection between the activity it observed and the reboots, but it said it was “surfacing this data to help defenders monitor and respond accordingly”.

The researchers have seen consistent activity over the last 45 days, and the case of the latter two vulnerabilities above, active exploitation within the last 24 hours. Almost 150 IP addresses have been linked to the exploitation attempts, and the targeted countries include the United States, Lithuania, Singapore, and Hong Kong.

At least one Australian entity appears to be being targeted, according to GreyNoise’s own activity visualisation tool.

Cyber Daily has reached out to DrayTek for comment.

You can read more about what GreyNoise has observed here.

This is not the first time DrayTek has made headlines over the exploitation of its network hardware. In December 2024, cyber security firm Forescout disclosed 14 vulnerabilities in 24 different models of DrayTek routers.

“While the extent of these findings was beyond expectation, it was not entirely surprising,” Vedere Labs said at the time.

“DrayTek is among many vendors that [do] not appear to conduct the necessary variant analysis and post-mortem analysis after vulnerability reports – which could lead to long-term improvements.”

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

You need to be a member to post comments. Become a member for free today!

Comments (0)

Cyber Daily Comments
Attach images by dragging & dropping or by selecting them.
The maximum file size for uploads is MB. Only files are allowed.
 
The maximum number of 3 allowed files to upload has been reached. If you want to upload more files you have to delete one of the existing uploaded files first.
The maximum number of 3 allowed files to upload has been reached. If you want to upload more files you have to delete one of the existing uploaded files first.
Posting as

    newsletter
    cyber daily subscribe
    Be the first to hear the latest developments in the cyber industry.