Networking hardware manufacturer DrayTek is confronting a significant security crisis involving multiple vulnerabilities in its Vigor router models, including a critical new remote code execution flaw and a separate global incident causing widespread, unexplained router reboots. The situation highlights persistent threats to network infrastructure and the critical importance of timely firmware updates for perimeter devices. Security researchers have linked these events to the active exploitation of both newly disclosed and older, unpatched vulnerabilities, some dating back to 20204.
The core of the recent alert involves CVE-2025-10547, a critical unauthenticated remote code execution vulnerability resulting from the use of an uninitialized variable4. This flaw allows remote, unauthenticated attackers to execute arbitrary code by sending crafted HTTP/HTTPS requests to the router’s web interface, affecting a wide range of Vigor models1. DrayTek has released firmware patches to address this specific issue. Concurrently, a separate and highly disruptive event unfolded in late March 2025, where users, particularly in the UK and Australia, reported their DrayTek routers randomly and repeatedly rebooting, causing severe network instability2, 5.
Executive Summary for Security Leadership
This incident presents a compound threat to organizational network perimeters. A new, critical RCE vulnerability (CVE-2025-10547) requires immediate patching. Simultaneously, a global reboot phenomenon has been tied to the mass exploitation of older vulnerabilities for which patches have been available for years. The reboot incident specifically affected devices with SSL VPN or poorly configured Remote Management enabled, acting as a visible symptom of a deeper patching deficit. This serves as a stark reminder that unpatched network infrastructure, even for old flaws, represents a high-risk attack vector that can lead to operational disruption and potential compromise.
- New Threat: Critical unauthenticated RCE (CVE-2025-10547) in multiple Vigor router models.
- Active Incident: Global router reboots linked to exploitation of old vulnerabilities (CVE-2020-8515, CVE-2021-20123, CVE-2021-20124).
- Root Cause: Failure to apply historical firmware updates, leaving devices exposed to known attack vectors.
- Primary Mitigation: Immediate application of the latest firmware patches and disabling of unnecessary remote services.
Technical Analysis of the New RCE Vulnerability
The newly disclosed vulnerability, tracked as CVE-2025-10547, is an unauthenticated remote code execution flaw stemming from the use of an uninitialized variable in the router’s software4. This type of vulnerability often occurs when a program variable is used before it has been assigned a value, leading to unpredictable behavior that can be manipulated by an attacker. In this context, sending specially crafted HTTP or HTTPS requests to the web management interface of an affected Vigor router can trigger this condition, potentially allowing the execution of operating system commands with the privileges of the underlying web service.
DrayTek’s advisory, DSA-2025-001 & DSA-2025-002, details the affected models and provides the patched firmware versions4. This vulnerability is particularly severe because it requires no authentication, meaning an attacker from the internet does not need any credentials to exploit it. The company had previously addressed related buffer overflow issues (CVE-2024-51138, CVE-2024-51139) in firmware updates released between August and October 20242, 4, indicating a continued focus on securing the web interface component. For security teams, identifying and patching affected Vigor routers is a urgent priority to prevent direct compromise of the network gateway.
The Global Reboot Incident and Link to Historical Flaws
In late March 2025, a separate wave of disruptions hit DrayTek users, characterized by routers entering unexplained reboot loops. Initial user reports pointed to random and repeated reboots causing significant downtime. DrayTek’s first investigation suggested the exploitation of a vulnerability disclosed in early March2, 5. However, threat intelligence from GreyNoise provided a more detailed picture, correlating the event with active in-the-wild exploitation of three specific older DrayTek vulnerabilities that had been observed for at least 45 days2, 7, 9.
GreyNoise data showed exploitation activity from numerous IPs targeting these old Common Vulnerabilities and Exposures (CVE) entries. CVE-2020-8515, a remote code execution flaw, was being targeted by 82 unique IPs over a 30-day period, primarily focusing on systems in Indonesia, Hong Kong, and the United States2, 9. The directory traversal vulnerabilities CVE-2021-20123 and CVE-2021-20124, affecting DrayTek’s Vigor Connect software, were observed from 23 and 22 IPs respectively, targeting Lithuania, the U.S., and Singapore2, 9. While GreyNoise noted the timing was highly coincidental, they could not definitively confirm these exploits were the direct cause of the reboots2.
DrayTek’s Official Explanation and Mitigation Guidance
On March 28, 2025, DrayTek released Security Advisory DSA-2025-003 to clarify the reboot phenomenon4, 5. The company stated that the reboots were caused by repeated, suspicious TCP connection attempts originating from IP addresses with known bad reputations. Crucially, these connection attempts could only trigger a reboot on unpatched devices that had specific services exposed: either SSL VPN enabled or Remote Management enabled without a restrictive Access Control List (ACL) in place4, 5.
The underlying vulnerabilities being exploited were not new; patches had been available since 2020. The reboot behavior itself was a new manifestation, representing the first time this old flaw was observed being exploited at such a large scale4, 5. A key question raised by SecurityWeek remains unanswered: whether the router reboots were the intended goal of the attacker—perhaps to cause denial-of-service—or merely a side-effect of failed exploitation attempts on vulnerable systems5. This distinction is important for understanding the threat actor’s motivations, whether they are focused on disruption or seeking persistent access.
Historical Context and Systemic Challenges
The March 2025 incidents are not isolated events but part of a longer history of security issues with DrayTek devices. In October 2024, a research report dubbed “Dray:Break” by Forescout Vedere Labs disclosed 14 vulnerabilities affecting an estimated 704,000 DrayTek routers across 168 countries, with a high concentration in the UK6, 8. Of the 24 affected models, 11 were already end-of-life, complicating the patch landscape. These vulnerabilities, many enabling remote code execution, were also detailed by security firm Fuse CS, highlighting the extensive attack surface presented by these widely deployed devices10.
Further back, 2022 saw Trellix discover an unauthenticated RCE tracked as CVE-2022-325483. The very vulnerabilities exploited in the 2025 reboot incident—CVE-2020-8515, CVE-2021-20123, and CVE-2021-20124—were originally disclosed between 2020 and 20214, 9. This pattern demonstrates a systemic challenge where old, patched vulnerabilities remain a potent threat years after fixes are released, primarily due to inconsistent patch management practices by end-users, particularly in the small and medium-sized business market that DrayTek often serves.
Relevance and Remediation for Security Professionals
For security teams, the DrayTek situation is a case study in the real-world impact of patch management failures on network perimeter security. The reboot incident was a direct consequence of unpatched systems, some of which had fixes available for over four years. Network administrators must prioritize the hardening of perimeter devices like routers, which are high-value targets for attackers seeking to compromise entire networks.
The consensus from DrayTek and cybersecurity experts provides a clear path to mitigation. First and foremost, applying the latest firmware updates from DrayTek’s official support portal is the most critical action2, 4, 8, 9. Second, organizations should disable unnecessary services, specifically Remote Management and SSL VPN, if they are not required for business operations4, 5. If Remote Management is essential, it must be protected by an Access Control List (ACL) restricting access to specific, trusted IP addresses only4, 5.
Additional defensive measures include implementing strong, unique passwords for the router’s admin interface9 and establishing monitoring for anomalous activity. Sending router logs to a central syslog server and leveraging threat intelligence feeds to watch for known malicious IPs targeting these vulnerabilities can provide early detection of exploitation attempts2, 8. For threat intelligence researchers, tracking exploitation activity related to CVE-2020-8515, CVE-2021-20123, and CVE-2021-20124 provides insight into ongoing campaigns targeting network infrastructure.
Conclusion
The ongoing security issues with DrayTek routers underscore a persistent challenge in cybersecurity: the long tail of vulnerabilities. The “Dray:Break” report from late 2024 revealed a massive pool of vulnerable devices, which set the stage for the widespread impact witnessed in March 2025. While a new critical RCE flaw demands attention, the larger operational disruption resulted from the exploitation of old, known vulnerabilities. This incident serves as a powerful reminder that consistent and timely patch management for all network infrastructure, especially internet-facing devices, is a non-negotiable component of a robust security posture. The resilience of an organization’s network depends not only on addressing the latest threats but also on systematically managing risks from the past.
References
- DrayTek Security Advisory (DSA-2025-001 & DSA-2025-002). DrayTek. Accessed: Oct. 2, 2025.
- GreyNoise Intelligence. “Observations on DrayTek Vulnerability Exploitation.” Accessed: Oct. 2, 2025.
- Trellix. “Discovery of CVE-2022-32548 in DrayTek Vigor Routers.” Accessed: Oct. 2, 2025.
- DrayTek Security Advisory (DSA-2025-003). DrayTek. Accessed: Oct. 2, 2025.
- SecurityWeek. “DrayTek Attributes Router Reboots to Exploitation of Old Flaws.” Mar. 28, 2025. Accessed: Oct. 2, 2025.
- Forescout Vedere Labs. “Dray:Break – 14 Vulnerabilities in DrayTek Routers.” Oct. 2024. Accessed: Oct. 2, 2025.
- GreyNoise Intelligence. “Threat Intelligence Report on DrayTek Exploitation.” Accessed: Oct. 2, 2025.
- Forescout Vedere Labs. “Research Report on DrayTek Router Vulnerabilities.” Accessed: Oct. 2, 2025.
- GreyNoise Intelligence. “Exploitation Data for CVE-2020-8515, CVE-2021-20123, CVE-2021-20124.” Accessed: Oct. 2, 2025.
- Fuse CS. “Detailed Analysis of Dray:Break Vulnerabilities.” Accessed: Oct. 2, 2025.
