Security researchers have uncovered 14 vulnerabilities in DrayTek routers that left hundreds of thousands of devices exposed.
The flaws affect 24 DrayTek router models, with more than two-thirds either end-of-sale (EoS) or end-of-life (EoL) products, making them more difficult to patch and protect.
More than 425,000 are in the UK and EU, with over 190,000 in Asia. Crucially, researchers warned that three-quarters are being used commercially.
The 14 previously unknown vulnerabilities could, if left unaddressed, allow attackers to gain full control over these devices, potentially leading to ransomware, denials of service (DoS), and other attacks.
They include one with the highest possible severity rating of 10 and another scoring 9.1, which could allow attackers to conduct remote code execution and OS command injection attacks.
"Routers are crucial for keeping internal systems connected to the outside world yet too many organizations overlook their security until they are exploited by attackers," said Barry Mainz, CEO of Forescout, which uncovered the flaws.
"Cyber criminals work around the clock to find cracks in routers' defenses, using them as entry points to steal data or cripple business operations. Forescout’s DrayTek research is just the latest example to show how routers continue to be the riskiest device category across all assets."
By exploiting the DrayTek vulnerabilities, attackers could deploy a persistent rootkit to intercept and analyze network traffic, stealing sensitive data such as credentials or confidential information.
And once inside, they could move laterally across the network, compromising other devices and potentially leading to ransomware, DoS attacks, or the creation of botnets for distributed attacks.
High-performance routers, such as the Vigor3910, could even be repurposed as command-and-control (C2) servers, Forescout warned, enabling attackers to launch further attacks on other victims.
While DrayTek has now patched all the firmware vulnerabilities, organizations still need to take action, implementing the patch, disabling unnecessary remote access, implementing Access Control Lists and two-factor authentication, and monitoring for anomalies through syslog logging.
Network segmentation is also essential and outdated devices should be replaced.
However, Adam Brown, managing security consultant at Black Duck Software, said while it’s not surprising to find these discovered in end-of-life technology, it’s concerning to see them in current products.
"Security bugs such as buffer overflows can be detected during the engineering phase of a product if the producer is using enterprise-grade testing tools and services. It’s disappointing to see these bugs in the wild now," he said.
"This situation is further impacted by DrayTek’s market, which appears to be small to medium enterprises, who are less likely to have strong cybersecurity capabilities to detect and act on these findings."
Earlier this year, the US Cybersecurity and Infrastructure Security Agency (CISA) warned that routers were increasingly becoming a target for cyber criminals and called on manufacturers to improve their design, development, and delivery processes.
