Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

DrayTek Vulnerabilities Added to CISA KEV Catalog Exploited in Global Campaign 

Two DrayTek vulnerabilities added by CISA to its KEV catalog have been exploited by multiple threat groups to steal data from organizations worldwide.

ICS honeypot scanning

Two old vulnerabilities affecting a DrayTek product have been exploited by multiple threat groups to target organizations worldwide, SecurityWeek has learned.

The US cybersecurity agency CISA this week added to its Known Exploited Vulnerabilities (KEV) catalog two flaws found by Tenable researchers in 2021 in DrayTek VigorConnect, a management software for DrayTek network equipment. 

The exploited flaws, tracked as CVE-2021-20123 and CVE-2021-20124, have been described as path traversal issues that can allow an unauthenticated attacker to download arbitrary files from the underlying operating system with root privileges. The vulnerabilities were patched by the vendor back in October 2021. 

There do not appear to be any public reports describing in-the-wild attacks in which these DrayTek vulnerabilities have been exploited. However, SecurityWeek noticed a Fortinet IPS advisory created in June 2024 and updated in late July that mentioned CVE-2021-20123 being exploited in attacks.

Val Saengphaibul, director of threat response at FortiGuard Labs, told SecurityWeek that the company has seen CVE-2021-20123 being exploited in a worldwide campaign targeting various industries, including finance payroll, networking, manufacturing, real estate, telecom, and technology (storage, software and hardware companies). 

“At this time, we do not see any specific attacks, as they appear to be broad in scope and not targeting a specific region or vertical,” Saengphaibul said. “We do not believe that this is the work of a specific group, but multiple threat actor groups trying to exploit this vulnerability to exfiltrate data from affected organizations.”

Advertisement. Scroll to continue reading.

Saengphaibul noted that there was a spike in exploitation attempts on August 28 and 29, which may be what prompted CISA to add the vulnerabilities to its KEV catalog.  

“Although this vulnerability is several years old, this highlights that threat actors are always seeking to exploit unpatched machines due to the fact that many organizations aren’t very proactive about patching for a multitude of reasons,” Saengphaibul added.

While Fortinet has not mentioned CVE-2021-20124, it’s safe to assume that it has been exploited in the same attacks as CVE-2021-20123.

Hackers targeting DrayTek products in their campaigns is not unheard of. In 2018, threat actors exploited a zero-day to change DNS settings in DrayTek routers, and two years later news broke about two other zero-days being exploited to target the company’s enterprise routers. 

A Shodan search for DrayTek shows more than 600,000 results so it’s not surprising that the company’s products are being targeted by threat actors. 

Related: Hackers Target Vulnerability Found Recently in Long-Discontinued D-Link Routers

Related: Mysterious Threat Actor Used Chalubo Malware to Brick 600,000 Routers

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

James Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.

Rafal Los has joined Binary Defense as Chief Strategy Officer.

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.