14 New DrayTek routers’ flaws impacts over 700,000 devices in 168 countries

Multiple flaws in DrayTek residential and enterprise routers can be exploited to fully compromise vulnerable devices.

Forescout researchers discovered 14 new vulnerabilities in DrayTek routers, two of which have been rated as critical. Of the 14 security flaws nine are rated high, and three are rated medium in severity.

The flaws impact residential and enterprise routers manufactured by DrayTek that could be exploited to take over susceptible devices.

The experts reported that over 704,000 DrayTek routers are exposed online in 168 countries, posing a serious risk to customers.

DrayTek flaws

Vulnerabilities in these devices could be exploited for cyber espionage, data theft, ransomware and DoS attacks. On September 18, 2024, the FBI dismantled a botnet exploiting three DrayTek CVEs, and CISA recently added two more to its Known Exploited Vulnerabilities list.

“Since 75% of these routers are used in commercial settings, the implications for business continuity and reputation are severe. A successful attack could lead to significant downtime, loss of customer trust and regulatory penalties, all of which fall squarely on a CISO’s shoulders.” reads the report published by Forescout.

The most severe vulnerability, tracked as CVE-2024-41592 (CVSS score 10), is a DoS/RCE issue.

“The “GetCGI()” function in the Web UI, responsible for retrieving HTTP request data, is vulnerable to a buffer overflow when processing the query string parameters.” reads the advisory.

The second critical issue, tracked as CVE-2024-41585, is an OS command exec / VM escape vulnerability.

The “recvCmd” binary, which facilitates communication between the host and guest operating systems, is vulnerable to OS command injection attacks.

DrayTek already released security updates to address the vulnerabilities reported by Forescout.

At this time, the company is not aware of attacks in the wild exploring the above vulnerabilities.

“While the extent of these findings was beyond expectation, it was not entirely surprising. DrayTek is among many vendors that does not appear to conduct the necessary variant analysis and post-mortem analysis after vulnerability reports — which could lead to long-term improvements.” concludes the report. “Compared to our research on OT, we found a smaller percentage of unpatched and end-of-life IT routers in DrayTek compared to OT routers (Sierra Wireless).

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, IoT)