[Source – thehackernews.com]
Potentially tens of thousands of DrayTek routers, widely used by businesses and government agencies, are facing heightened risks from 14 newly discovered firmware vulnerabilities. These flaws, which range in severity, could allow hackers to carry out a range of malicious activities, including remote code execution, denial-of-service attacks, data theft, and session hijacking. The vulnerabilities were discovered during an investigation by Forescout’s Vedere Labs, which revealed that the security of these routers is under serious threat.
A Range of Vulnerabilities Impacting DrayTek Routers
The investigation identified 14 vulnerabilities affecting 24 DrayTek router models. Among these, two critical flaws require immediate attention: CVE-2024-41592, a maximum-severity remote code execution bug, and CVE-2024-41585, a command execution vulnerability with a severity score of 9.1. Nine other vulnerabilities were categorized as medium-severity, while the remaining three were labeled as low-severity threats.
Forescout’s researchers discovered over 704,000 Internet-exposed DrayTek routers, mostly in Europe and Asia. A significant portion of these routers are used in commercial environments, heightening the risks for business continuity and reputational damage if an attack occurs. In their report, the researchers warned that successful exploitation could lead to extensive downtime, loss of customer trust, and potentially severe regulatory consequences.
Patching Alone May Not Be Sufficient
In response to these vulnerabilities, DrayTek has released patches via firmware updates for all affected routers. However, security experts like Daniel dos Santos, head of security research at Forescout Vedere Labs, caution that simply applying patches might not be enough. Dos Santos advises organizations to implement longer-term mitigation measures to reduce the risk of future attacks. His team’s research indicates a history of critical vulnerabilities in DrayTek routers, many of which have been exploited by botnets and other forms of malware.
Though attackers can easily locate vulnerable DrayTek routers using tools like Shodan or Censys, exploitation may be more challenging due to the absence of detailed proof-of-concept code in Forescout’s findings. However, the situation could escalate if an attacker or researcher develops and publishes an exploit, potentially leading to widespread attacks.
Growing Target for Threat Actors
This vulnerability disclosure comes as threat actors, including nation-state groups, have increasingly focused on routers and network devices from various vendors like DrayTek, Fortinet, and Zyxel. In a recent advisory, the FBI and US National Security Agency highlighted the activities of Chinese threat actors using botnets to compromise routers and Internet of Things devices. These compromised devices are often used as proxies to launch distributed denial-of-service (DDoS) attacks or further compromise targeted networks.
Forescout’s report further noted a troubling pattern: many organizations have been slow to address vulnerabilities in DrayTek products. Despite the discovery of 18 high-severity vulnerabilities in DrayTek routers since 2020, nearly 38% of over 704,000 devices identified by Forescout were still unpatched for vulnerabilities disclosed two years ago. According to dos Santos, this issue stems from a lack of visibility into unmanaged devices like routers, leaving organizations unaware of the vulnerabilities within their networks. He emphasized the need for proactive measures, such as disabling remote access where unnecessary, using secure protocols, and ensuring proper network segmentation.
