Draytek CVE 2025-10547

Critical security vulnerabilities discovered in several DrayTek products on July 22, 2025. These vulnerabilities include unauthenticated remote attackers send some crafted HTTP or HTTPS requests to the device's Web User Interface (WebUI). We have addressed these issues and released firmware updates to enhance security.

• Security Advisory: Use of Uninitialized Variable Vulnerabilities (CVE-2025-10547)

We strongly recommend that you check the firmware of units you own / manage and ensure that you are running patched versions.

Vulnerability Details

• Publish Date: 2025/10/03
• CVE ID: CVE-2025-10547
• Types: An uninitialized variable in the HTTP CGI request arguments processing component of Vigor Routers running DrayOS may allow an attacker the ability to perform RCE on the appliance through memory corruption.

GEN Activity

We are actively updating any affected devices which will result in a minute of connectivity interruption as the hardware reboots. This is essential to protect your security and cannot be avoided in this case. 

Urgent Action Required

We strongly recommend that you check the firmware of units you own / manage and ensure that you are running patched versions. If not, upgrade your firmware immediately to the version listed below for your device.

Before upgrading:

• Back up your current configuration (System Maintenance > Config Backup).
• Use the ".ALL/.SFW" file for upgrading to preserve your settings.
• If upgrading from an older version, review the release notes for specific instructions.

If remote access is enabled:

• Disable it unless absolutely necessary.
• Use an access control list (ACL) and enable 2FA if possible.
• For unpatched routers, disable both remote access (admin) and SSL VPN.
• Note: ACL doesn't apply to SSL VPN (Port 443), so temporarily disable SSL VPN until upgraded.

Affected Products and Fixed Firmware Versions

• Vigor1000B - 4.4.3.6
• Vigor2962 / 3910 / 3912 - 4.4.3.6 / 4.4.5.1
• Vigor2135 / 2763 / 2765 / 2766 - 4.5.1
• Vigor2865 / 2866 / 2927 - 4.5.1
• Vigor2915 Series - 4.4.6.1
• Vigor2862 / 2926 - 3.9.9.12
• Vigor2952 / 3220 - 3.9.8.8
• Vigor2860 / 2925 - 3.9.8.6
• Vigor2133 / 2762 / 2832 - 3.9.9.4
• Vigor2620 LTE - 3.9.9.5
• VigorLTE 200n - 3.9.9.5

Additional Security Measures

We would recommend the following general best practices

• Regularly check for and apply firmware updates.
• Implement strong, unique passwords for all accounts.
• Enable and configure firewall settings appropriately.
• Monitor your network for any suspicious activities.

GEN HelpDesk

If you're having issues applying updates, or have a large estate and need assistance then we're here to help.