Researchers at Trillex discovered an unauthenticated Remote Code Execution (RCE) vulnerability in 29 router models made by DrayTek. The vulnerability, tracked as CVE-2022-32548, carries a maximum CVSS v3 severity score of 10.0, categorizing it as critical. The attacker does not need credentials or user interaction to exploit the vulnerability with the default device configuration, making the attack viable via the internet or LAN. Attackers who exploit this vulnerability could potentially perform the following actions:
- Complete device takeover
- Information access
- Setup stealthy man-in-the-middle attacks
- Change DNS settings
- Use the routers as DDoS or cryptominer bots
- Pivot to devices connected to the breached network
Researchers found that of the 700,000 online devices, 200,000 expose vulnerable services on the internet and are readily exploitable, while the other 500,000 may also be exploited using one-click attacks.
DrayTek devices became very popular during the surge of work-from-home when the pandemic first started. DrayTek quickly released a patch for this vulnerability, and it can be downloaded to devices by navigating the firmware update center on the vendor’s website. Anytime a patch is released for a vulnerability, it should be tested and implemented as soon as possible, especially when the vulnerability has a severity rating as high as this one. A full list of affected devices and mitigation steps can be found in the source article.