Full Report
Networking hardware maker DrayTek released an advisory to warn about a security vulnerability in several Vigor router models that could allow remote, unauthenticated actors to execute perform arbitrary code. [...]
Analysis Summary
# Vulnerability: Remote Code Execution in DrayTek Vigor Routers via WebUI Request
## CVE Details
- CVE ID: CVE-2025-10547
- CVSS Score: Not explicitly provided in the text, but the capability for RCE suggests **High** severity.
- CWE: Potential memory corruption (likely related to buffer overflow or improper memory handling based on the technical detail).
## Affected Systems
- Products: DrayTek Vigor Routers (Multiple Models)
- Versions: Specific vulnerable versions are covered by the required upgrade targets listed in the Remediation section.
- Configurations: Triggered by sending crafted HTTP or HTTPS requests to the device's Web User Interface (WebUI). Vulnerability is present both when exposed to WAN and LAN interfaces.
## Vulnerability Description
The vulnerability stems from an uninitialized stack value, which an unauthenticated remote attacker can leverage via crafted HTTP/HTTPS requests to corrupt memory. Specifically, the flaw allows an **arbitrary `free()`** operation, potentially leading to memory corruption, system crash, and in some circumstances, Remote Code Execution (RCE).
## Exploitation
- Status: Exploit PoC successfully created and demonstrated by the researcher. DrayTek advisory does not mention active exploitation in the wild, but immediate mitigation is recommended.
- Complexity: Likely **Medium** or **High** as it involves achieving RCE via arbitrary `free()`.
- Attack Vector: Network (via WebUI access from WAN or LAN).
## Impact
- Confidentiality: Potentially High (if RCE leads to file access/data exfiltration).
- Integrity: High (Arbitrary code execution compromises system integrity).
- Availability: High (Successful exploitation can cause a system crash).
## Remediation
### Patches
Administrators must upgrade to the following minimum firmware versions:
| Product Group | Minimum Firmware Version |
| :--- | :--- |
| Vigor1000B, Vigor2962, Vigor3910/3912 | 4.4.3.6 or later (some models 4.4.5.1) |
| Vigor2135, Vigor2763/2765/2766, Vigor2865/2866 Series (incl. LTE & 5G), Vigor2927 Series (incl. LTE & 5G) | 4.5.1 or later |
| Vigor2915 Series | 4.4.6.1 or later |
| Vigor2862/2926 Series (incl. LTE) | 3.9.9.12 or later |
| Vigor2952/2952P, Vigor3220 | 3.9.8.8 or later |
| Vigor2860/2925 Series (incl. LTE) | 3.9.8.6 or later |
| Vigor2133/2762/2832 Series | 3.9.9.4 or later |
| Vigor2620 Series | 3.9.9.5 or later |
| VigorLTE 200n | 3.9.9.3 or later |
### Workarounds
1. Disable remote WebUI access.
2. Restrict WebUI access using Access Control Lists (ACLs) or VLANs. (Note: This mitigates external threats but does not protect against pre-existing LAN presence).
## Detection
- **Indicators of Compromise:** Unexpected system crashes or reboots related to WebUI interaction.
- **Detection methods and tools:** Monitoring network traffic directed toward the WebUI port (HTTP/HTTPS) for unusually structured requests originating from unauthenticated sources, particularly patterns that might indicate memory manipulation attempts.
## References
- Vendor advisory: DrayTek Security Advisory corresponding to CVE-2025-10547.
- Relevant links - defanged: `hxxps://www.bleepingcomputer.com/news/security/draytek-warns-of-remote-code-execution-bug-in-vigor-routers/`