DRAY:BREAK Breaking Into DrayTek Routers Before Threat Actors Do It Again

In 2024, routers are a primary target for cybercriminals and state-sponsored attackers – and are the riskiest device category on networks. With this knowledge, we investigated one vendor with a history of security flaws to help it address its issues and prevent new attacks.

Our latest research discovered 14 new vulnerabilities in DrayTek routers:

• One has a severity score of a maximum 10
• One is critical at 9.1
• 9 others have medium severity scores

Given the significant risks these vulnerabilities pose, immediate action is recommended. DrayTek has responded promptly. All vulnerabilities Vedere Labs discovered have been patched in various firmware versions.

Threat Risk

With over 704,000 DrayTek routers exposed online in 168 countries, you cannot afford to underestimate the threat landscape. These devices are not just hardware; they represent potential entry points for devastating attacks.

Our research shows these vulnerabilities could be used in espionage, data exfiltration, ransomware, and denial of service (DoS) attacks. See Section 6 “Attack Scenarios” for an example involving a vulnerable device configured to expose the Web UI over the WAN (internet).

However, the threat risk is not theoretical. On Sept. 18, 2024, the Federal Bureau of Investigation announced it had taken down a botnet exploiting three CVEs on DrayTek assets (CVE-2023-242290, CVE-2020-15415 and CVE-2020-8515). Two weeks prior, CISA added two other DrayTek CVEs to the KEV (CVE-2021-20123 and CVE- 2021-20124).

These events are separate from our discoveries, yet they highlight the importance of continuous threat intelligence finding new issues and tracking exploitations on these devices.