Remote code execution flaw reported in DrayTek Vigor router models
Take action: If you have DrayTek Vigor routers, make sure that the WebUI is isolated from the WAN. Then plan a quick patch to prevent LAN based attacks. Given enough time a malware on an endpoint will attack the LAN side.
Learn More
DrayTek has patched a security vulnerability affecting multiple Vigor router models that could allow unauthenticated remote attackers to execute arbitrary code on vulnerable devices.
The vulnerability is tracked as CVE-2025-10547 (CVSS not assigned) is an uninitialized stack value in the router's Web User Interface that can be exploited when unauthenticated remote attackers send specially crafted HTTP or HTTPS requests to the device. This uninitialized value can be used to manipulate the free() function to operate on arbitrary memory locations, a technique known as arbitrary free(). Successful exploitation may cause memory corruption and a system crash, with the potential in certain circumstances to allow remote code execution, effectively granting attackers complete control over the compromised device.
Affected versions
- Vigor1000B, Vigor2962, Vigor3910, Vigor3912: Update to firmware version 4.4.3.6 or later (some models require 4.4.5.1 or later)
- Vigor2135, Vigor2763, Vigor2765, Vigor2766: Update to firmware version 4.5.1 or later
- Vigor2865 Series, Vigor2865 LTE Series, Vigor2865L-5G Series: Update to firmware version 4.5.1 or later
- Vigor2866 Series, Vigor2866 LTE Series: Update to firmware version 4.5.1 or later
- Vigor2927 Series, Vigor2927 LTE Series, Vigor2927L-5G Series: Update to firmware version 4.5.1 or later
- Vigor2915 Series: Update to firmware version 4.4.6.1 or later
- Vigor2862 Series, Vigor2862 LTE Series: Update to firmware version 3.9.9.12 or later
- Vigor2926 Series, Vigor2926 LTE Series: Update to firmware version 3.9.9.12 or later
- Vigor2952, Vigor2952P, Vigor3220: Update to firmware version 3.9.8.8 or later
- Vigor2860 Series, Vigor2860 LTE Series: Update to firmware version 3.9.8.6 or later
- Vigor2925 Series, Vigor2925 LTE Series: Update to firmware version 3.9.8.6 or later
- Vigor2133 Series, Vigor2762 Series, Vigor2832 Series: Update to firmware version 3.9.9.4 or later
- Vigor2620 Series: Update to firmware version 3.9.9.5 or later
- VigorLTE 200n: Update to firmware version 3.9.9.3 or later
Routers are partially protected from WAN-based attacks if remote access to the WebUI and SSL VPN services is disabled or if Access Control Lists are properly configured. But an attacker with access to the local network could still exploit the vulnerability via the WebUI. However.
DrayTek strongly recommends upgrading the firmware to the minimum version specified in the advisory per each router.
