Recent investigations by cybersecurity experts at Forescout Vedere Labs have uncovered extensive vulnerabilities in routers produced by DrayTek, placing both residential and enterprise users at risk. The discoveries reveal over a dozen security flaws that could enable malicious actors to gain control over these routers, thereby compromising networks of affected businesses.
Named collectively as DRAY:BREAK, the 14 identified vulnerabilities exhibit varying degrees of severity, including two classified as critical. One particular flaw has been assigned a maximum CVSS score of 10.0, indicating an exceptionally high risk potential. Forescout specifically noted that these vulnerabilities could allow attackers to inject malicious code, facilitating persistent access to the devices and potentially serving as a gateway into broader corporate networks.
Among the critical vulnerabilities, CVE-2024-41592 pertains to a buffer overflow in the “GetCGI()” function within the web interface. This flaw can lead to remote code execution or denial-of-service situations. Another critical issue, CVE-2024-41585, involves OS command injection in the communication mechanism between host and guest operating systems, rated at 9.1 on the CVSS scale.
Forescout’s analysis highlighted a concerning statistic: over 704,000 DrayTek routers have their web interfaces exposed online, with a significant concentration in the U.S. Following responsible disclosure, DrayTek has promptly issued patches to address all identified vulnerabilities, including the most severe ones affecting end-of-life models.
With the emergence of these security flaws, businesses are urged to apply these patches to mitigate risks. Additional recommendations include disabling remote access if unnecessary and implementing security measures such as access control lists and two-factor authentication to reinforce defenses.
The rapid discovery of these vulnerabilities has coincided with a broader initiative by several international cybersecurity agencies, including those from the U.S. and Australia, aimed at providing guidance to organizations in critical infrastructure sectors. Their document, which outlines key strategies for operational technology cybersecurity, underscores the need for comprehensive threat management and robust security practices.
As awareness of these vulnerabilities grows, the cybersecurity landscape continues to evolve. Attack surface management firm Censys reported a total of 751,801 exposed DrayTek Vigor routers, with a disturbing number revealing vulnerable administrative interfaces. This trend reflects the persistence of adversarial tactics targeting exposed devices for potential exploitation, enabling network reconnaissance and unauthorized access to enterprise infrastructures.
In this context, the use of the MITRE ATT&CK framework is pertinent for understanding the tactics deployed by threat actors, such as initial access through exposed interfaces, persistence strategies post-compromise, and further actions like lateral movement and data exfiltration. Given the escalating risks posed by these vulnerabilities, business owners should remain vigilant and proactive in fortifying their cybersecurity measures against emerging threats.
