Taiwan-based networking equipment manufacturer DrayTek has shared some clarifications regarding the recent router reboots reported by customers around the world, but some questions remain unanswered.
In late March, DrayTek router users in the UK, Australia and other countries started reporting that their devices had been constantly rebooting, causing connectivity issues. When the first reports emerged, the vendor suggested that the exploitation of a vulnerability may be involved, but did not share any information on which flaw may be responsible.
In response to the increasing number of reports, DrayTek published a second advisory clarifying that the incidents appear to mainly involve older router models running outdated firmware.
“Our investigation has determined that DrayTek Routers were targeted to repeated, suspicious, and potentially malicious TCP connection attempts originating from IP addresses with known bad reputations,” DrayTek explained. “These attempts could trigger the router to reboot in unpatched devices if those devices have SSL VPN Enabled, or Remote Management enabled without the protection of an Access Control List (ACL).”
The company has listed several Vigor router models that appear to have been impacted, but noted that firmware updates released for them in 2020 should patch the “issue”, for which exploitation in the wild is now being seen for the first time.
However, it’s still unclear exactly which vulnerability — or vulnerabilities — has been exploited. In addition, it’s unclear what the attackers’ goal is and whether the device reboots are an intended outcome or an effect of failed exploitation attempts.
On the social media platform X, DrayTek said on March 26 that the issue appears to be related to a vulnerability disclosed in early March, but did not say exactly which flaw.
The vendor published two security advisories in early March: one describes half a dozen Vigor router vulnerabilities allowing DoS attacks, information disclosure, and code execution; and the second describes two code execution vulnerabilities. In both advisories, the company indicated that the firmware patches addressing these flaws had been available since the fall of 2024.
Threat intelligence firm GreyNoise has published a blog post describing the exploitation attempts it has seen in recent days against DrayTek routers. Three flaws have been exploited, including CVE-2020-8515, CVE-2021-20123 and CVE-2021-20124, but the company could not confirm whether any of them are involved in the recent attacks.
DrayTek notified SecurityWeek when its second advisory was published, but did not respond to follow-up emails seeking clarifications.
Related: DrayTek Vulnerabilities Added to CISA KEV Catalog Exploited in Global Campaign
Related: Unpatched Edimax Camera Flaw Exploited Since at Least May 2024
Related: Four-Faith Industrial Router Vulnerability Exploited in Attacks
