Overview
A remote code execution (RCE) vulnerability was discovered through the EasyVPN and LAN web administration interface of Vigor routers by Drayteck. A script in the LAN web administration interface uses an unitialized variable, allowing an attacker to inject arbitrary commands through memory corruption with specially crafted HTTP requests.
Description
Vigor routers are business-grade routers, designed for small to medium-sized businesses, made by Draytek. These routers provide routing, firewall, VPN, content-filtering, bandwidth management, LAN (local area network), and multi-WAN (wide area network) features. Draytek uses proprietary firmware, DrayOS, on the Vigor router line. The DrayOS features EasyVPN and LAN Web Administrator facilitate easy setup for administrators. EasyVPN simplifies the setup of secure VPN connections. LAN Web Administrator provides a browser-based user interface for router management.
When a user interacts with the LAN Web Administration interface, the user interface elements trigger actions that generate HTTP requests to interact with the local server. This process contains an uninitialized variable. Due to the uninitialized variable, an unauthenticated attacker could perform memory corruption on the router via specially crafted HTTP requests to hijack execution or inject malicious payloads. If EasyVPN is enabled, the flaw could be remotely exploited through the VPN interface.
Impact
A remote, unathenticated attacker can exploit this vulnerability through accessing the LAN interface - or potentially the WAN interface- if EasyVPN is enabled or remote administration over the internet is activated. If a remote, unauthenticated attacker leverages this vulnerability, they can execute arbitrary code on the router (RCE) and gain full control of the device. A successful attack could result in a attacker gaining root access to a Vigor router, installing backdoors, reconfiguring network settings, and blocking traffic. An attacker may also pivot for lateral movement through intercepting internal communications and bypassing VPNs.
Solution
The DrayTek Security team has developed a series of patches to remediate the vulnerability, and all users of Vigor routers should upgrade to the latest version ASAP. The patches can be found on the resources page of the DrayTek webpage, and the security advisory can be found within the about section of the DrayTek webpage. Consult either the CVE listing or the advisory page for a full list of affected products.
Acknowledgements
Thanks to the reporter, Pierre-Yves (maes.challenge@gmail.com).This document was written by Ayushi Kriplani.
Vendor Information
Other Information
| CVE IDs: | CVE-2025-10547 |
| API URL: | VINCE JSON | CSAF |
| Date Public: | 2025-10-03 |
| Date First Published: | 2025-10-03 |
| Date Last Updated: | 2025-10-16 18:51 UTC |
| Document Revision: | 3 |