Forescout Technologies Uncovers Critical Vulnerabilities in DrayTek Routers, Exposing Devices to Remote Hacking
Forescout Technologies has identified over a dozen security vulnerabilities in routers produced by Taiwanese networking company DrayTek, including several critical flaws that could enable remote hacking attacks.
The collection of 14 vulnerabilities, collectively named DRAY, affects more than 20 different DrayTek Vigor router models. While DrayTek has issued firmware patches to address all of the security flaws, about half of the affected routers are outdated and will not receive any fixes due to their end-of-life status.
Despite the availability of patches, many owners appear to neglect updating their devices. Forescout discovered that nearly 40% of DrayTek routers remain vulnerable to security flaws that were identified years ago, including some that have already been exploited in real-world attacks.
According to Forescout, more than 700,000 DrayTek routers are currently exposed to the internet, with the majority located in Europe and Asia. Of these, nearly 75% are used in commercial settings, and 63% are no longer available for purchase or receive support from the manufacturer.
While the exact number of devices vulnerable to the newly discovered flaws is unknown, Forescout estimates that hundreds of thousands could be at risk. Many of the identified vulnerabilities are rated as ‘critical’ or ‘high’ severity, with some allowing attackers to gain complete remote control of the devices.
“Since these new vulnerabilities allow attackers to fully control routers, which serve as the gateway between internal and external networks, they present numerous potential attack vectors,” Forescout warned.
The company explained that attackers could exploit these vulnerabilities for activities such as espionage, data theft, or the installation of persistent malware, like rootkits, that survive reboots and firmware updates. They could also intercept network traffic to collect sensitive information, such as login credentials.
Furthermore, compromised routers could be used to infiltrate other devices within the victim’s internal network, leading to the deployment of ransomware or causing additional damage. Attackers might also use these routers to build botnets for launching distributed denial-of-service (DDoS) attacks, mine cryptocurrency, or proxy internet traffic.
In particular, high-performance routers like the DrayTek Vigor3910 could be repurposed as command-and-control servers, enabling attackers to coordinate more extensive cyberattacks on other targets, Forescout noted.