Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

DrayTek Vulnerabilities Added to CISA KEV Catalog Exploited in Global Campaign 

Two DrayTek vulnerabilities added by CISA to its KEV catalog have been exploited by multiple threat groups to steal data from organizations worldwide.

Exploited vulnerability

Two old vulnerabilities affecting a DrayTek product have been exploited by multiple threat groups to target organizations worldwide, SecurityWeek has learned.

The US cybersecurity agency CISA this week added to its Known Exploited Vulnerabilities (KEV) catalog two flaws found by Tenable researchers in 2021 in DrayTek VigorConnect, a management software for DrayTek network equipment. 

The exploited flaws, tracked as CVE-2021-20123 and CVE-2021-20124, have been described as path traversal issues that can allow an unauthenticated attacker to download arbitrary files from the underlying operating system with root privileges. The vulnerabilities were patched by the vendor back in October 2021. 

There do not appear to be any public reports describing in-the-wild attacks in which these DrayTek vulnerabilities have been exploited. However, SecurityWeek noticed a Fortinet IPS advisory created in June 2024 and updated in late July that mentioned CVE-2021-20123 being exploited in attacks.

Val Saengphaibul, director of threat response at FortiGuard Labs, told SecurityWeek that the company has seen CVE-2021-20123 being exploited in a worldwide campaign targeting various industries, including finance payroll, networking, manufacturing, real estate, telecom, and technology (storage, software and hardware companies). 

“At this time, we do not see any specific attacks, as they appear to be broad in scope and not targeting a specific region or vertical,” Saengphaibul said. “We do not believe that this is the work of a specific group, but multiple threat actor groups trying to exploit this vulnerability to exfiltrate data from affected organizations.”

Saengphaibul noted that there was a spike in exploitation attempts on August 28 and 29, which may be what prompted CISA to add the vulnerabilities to its KEV catalog.  

“Although this vulnerability is several years old, this highlights that threat actors are always seeking to exploit unpatched machines due to the fact that many organizations aren’t very proactive about patching for a multitude of reasons,” Saengphaibul added.

Advertisement. Scroll to continue reading.

While Fortinet has not mentioned CVE-2021-20124, it’s safe to assume that it has been exploited in the same attacks as CVE-2021-20123.

Hackers targeting DrayTek products in their campaigns is not unheard of. In 2018, threat actors exploited a zero-day to change DNS settings in DrayTek routers, and two years later news broke about two other zero-days being exploited to target the company’s enterprise routers. 

A Shodan search for DrayTek shows more than 600,000 results so it’s not surprising that the company’s products are being targeted by threat actors. 

Related: Hackers Target Vulnerability Found Recently in Long-Discontinued D-Link Routers

Related: Mysterious Threat Actor Used Chalubo Malware to Brick 600,000 Routers

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Hear from experts as they explore the latest trends, challenges and innovations in Attack Surface Management.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Janet Rathod has been named VP and CISO at Johns Hopkins University.

Barbara Larson has joined SentinelOne as Chief Financial Officer.

Amy Howland has been named Partner and CISO at Guidehouse.

More People On The Move

Expert Insights