Users around the world are complaining that routers made by Taiwan-based networking equipment manufacturer DrayTek are rebooting, causing connectivity issues.
Many reboots have been documented in the UK and Australia, but there are also reports from Germany, Vietnam, and other countries of various router models rebooting.
ISPreview has been tracking the issue in the UK, where many broadband providers have reported significant customer connectivity issues due to DrayTek devices constantly rebooting.
DrayTek has published an advisory in response to the router reboots, urging customers to disconnect the WAN and attempt to update the device’s firmware to the latest version.
The advisory suggests that the firmware updates are needed to address a vulnerability, but does not provide any information on which flaw may have been exploited and it does not clearly say that malicious actors are causing the reboots.
Some ISPs in the UK have also suggested that a vulnerability is to blame.
There are plenty of DrayTek router vulnerabilities that could have been exploited in attacks — the company regularly discloses flaws that could allow DoS attacks or remote code execution (an unsuccessful code execution exploit could also lead to DoS).
It’s not uncommon for threat actors to target DrayTek product vulnerabilities. For instance, Forescout reported recently that hundreds of organizations were hacked by ransomware groups through undocumented vulnerabilities in DrayTek devices, including a potential zero-day.
SecurityWeek has reached out to DrayTek for clarifications and will update this article if the company responds.
UPDATE, March 26, 2025: Threat intelligence firm GreyNoise has published a brief blog post describing the exploitation attempts it has seen in recent days against DrayTek router vulnerabilities. Three flaws have been exploited in recent days, according to GreyNoise data, including CVE-2020-8515, CVE-2021-20123 and CVE-2021-20124. It’s still unclear which — if any of these — is responsible for the reboots.
UPDATE, April 3, 2025: DrayTek has shared additional information, but questions remain over exactly which vulnerability has been targeted and what the attackers’ motives are.
Related: Unpatched Edimax Camera Flaw Exploited Since at Least May 2024
Related: DrayTek Vulnerabilities Added to CISA KEV Catalog Exploited in Global Campaign
Related: Four-Faith Industrial Router Vulnerability Exploited in Attacks
Related: Recent Fortinet Vulnerabilities Exploited in ‘SuperBlack’ Ransomware Attacks
