» ISP News » 

DNS Vulnerability Strikes Popular DrayTek Broadband ISP Routers

Monday, May 21st, 2018 (7:45 am) - Score 7,052

Taiwan-based telecoms kit manufacturer DrayTek has announced that a large number of their popular wireless routers are vulnerable to a new security exploit, which enables an attacker to remotely change the device’s DNS and DHCP settings in order to hijack your internet traffic or steal personal data.

The Domain Name System (DNS) works to convert IP addresses to a human readable form (e.g. to examplefakeblah.com) and back again. Most of the time your ISP runs the DNS servers, but end-users can also access their own computers and routers to use custom DNS solutions like OpenDNS or Google’s Public DNS. Sadly hackers can also setup their own to hijack your internet traffic.

Recently a number of people using DrayTek kit spotted that somebody had changed their router’s DNS server to, which appears to have been achieved by exploiting a new weakness in the device rather than a brute-force attempt to crack admin passwords. In response DrayTek has published a new firmware update (v3.8.8.2) that should resolve the problem, although not all UK routers appear to have received this yet.

DrayTek Statement

We have become aware of security reports with DrayTek routers related to the security of web administration when managing DrayTek routers.

In some circumstances, it may be possible for an attacker to intercept or create an administration session and change settings on your router. The reports appear to show that DNS settings are being altered. Specific improvements have been identified as necessary to combat this and we are in the process of producing and issuing new firmware. You should install that as soon as possible.

Until you have the new firmware installed, you should check your router’s DNS settings on your router and correct them if changed (or restore from a config backup). We also recommend only using secured (TLS1.2) connections for web admin (for local and remote admin) and disable remote admin unless needed, or until firmware is updated. The list of updated firmware versions is as follows.

The company has done a good job of publishing two useful security updates (here and here) and the second one describes in detail how to resolve the problem. DrayTek notes that their wireless access points (VigorAP series), switches (VigorSwitch series) and the Vigor 2950, 2955, 2960, 3900 and 3300 series routers are NOT affected and do not need updating (but you should still always run the latest firmware on those anyway).

List of Vulnerable Routers and New Firmware
Vigor120, version
Vigor122, version
Vigor130, version
VigorNIC 132, version
Vigor2120 Series, version
Vigor2132, version
Vigor2133, version
Vigor2760D, version
Vigor2762, version
Vigor2832, version
Vigor2860, version 3.8.8
Vigor2862, version
Vigor2862B, version
Vigor2912, version
Vigor2925, version
Vigor2926, version
Vigor2952, version
Vigor3220, version
VigorBX2000, version
VigorIPPBX2820, version
VigorIPPBX3510, version
Vigor2830nv2, version
Vigor2820, version
Vigor2710, version
Vigro2110, version
Vigro2830sb, version
Vigor2850, version
Vigor2920, version

Leave a Comment
11 Responses
  1. A_Builder says:

    2960 etc run a different branch of the firmware.

    Their GUI is very different from the other Draytek products.

    They are aimed more at enterprise as they are 1G/1G throughput firewalls with a lot more functionality for VPN and security management.

    What is slightly worrying is that the 130’s are vulnerable which is the modem of choice for FTTC connections. So even if your 2960 dual WAN router box is secure the DNS can still be subverted as it passes through the 130 modems.

    1. DevonPaddler says:

      No, if the Vigor130 is bridging the DNS can’t be “subverted” at all, the risk is only when in Router mode

    2. A Builder says:


      I wrongly believed the same as you did yesterday.

      You are absolutely right that there should be no risk at all if it was a pure modem which should be a totally transparent interface.

      But then why are they on the offical vulnerability list at all?

      Which set me thinking.

      So I though I would check our fleet of 130’s. I too was a bit puzzled as they are in bridge mode out of the box.

      The trouble is that there is a bit more the 130 than just a dumb modem as it can report the line stats etc back to the router dynamically (although I have disabled this by default).

      I’m sorry to say it can be subverted even when in bridge mode. I’ve just tested it on one of ours and I could redirect the DNS to another of our fixed IP’s. I don’t want to go into details on a public forum but it was not taxing to do so and took me about 15 minutes to figure out what the issue was.

      So patching the 130s is a must.

    3. Aerial Installer says:

      I think you have something else going on – as a PPPoE modem can’t intercept DNS.

      I’ll task one of my SecOps team to look at a V130 but I sincerely think you are mistaken – if what you say is correct then that is a major security issue and you should report that to Draytek immediately.

      Not withstanding – you should regularly patch firmware for every network device.

    4. DevonPaddler says:

      The management interface (& line stats reporting) has nothing to do with the modem

      I’m confused what you think you’ve done tbh

      Please report this to Draytek support below as if you’ve found a vulnerability they need to know as does the entire user base ASAP

      DLink modems had a similar(ish) issue some time ago when used with a static IP range but they were routing not bridging

    5. Aerial Installer says:

      For reference, my teams view is “there is no possibility of a Vigor130 subverting, intercepting or redirecting DNS in any manner”


  2. DrayTek UK Support says:

    Dear ‘A Builder’ – we are surprised to hear this. Could you please contact us by email so that a technician can check into that, thanks.

    1. A_Builder says:

      @DrayTek UK support

      Thanks I had contacted you in the usual way already by email IRL.

    2. DrayTek UK Support says:

      “A Builder”; we’re not sure where you emailed – we can’t find it as we don’t know your real name 🙂 We think your findings may be mistaken on this as the Vigor 130 does NOT have the issue and there will not be updated firmware for it. Perhaps send another email to info@draytek.coyuk and put “A BUILDER” in the title so it’s easier to track, thanks.

  3. NE555 says:

    Vigor130 isn’t a router; and the latest released software for this device is 3.8.2 (not It was released on 27/03/2018, and the release notes don’t mention anything about DNS vulnerabilities.


  4. A_Builder says:

    @Aerial Installer
    @DrayTek UK Support

    Egg on face time here.

    Having looked at the test rig the tech set up for me he didn’t follow my instructions.

    So the reported result is total nonsense.

    There is no issue at all with the Drayek130.

    Apologies for wasting peoples time.

    Should have checked myself before posting.

Comments are closed.

Comments RSS Feed

Javascript must be enabled to post (most browsers do this automatically)

Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.

Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.

NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.

NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.
Cheapest Superfast ISPs
  • Hyperoptic £15.00 (*25.00)
    Speed 50Mbps, Unlimited
    Gift: None
  • Vodafone £19.50 (*22.50)
    Speed 35Mbps, Unlimited
    Gift: None
  • NOW £20.00 (*32.00)
    Speed 36Mbps, Unlimited
    Gift: None
  • Shell Energy £21.99 (*30.99)
    Speed 35Mbps, Unlimited
    Gift: None
  • Plusnet £22.99 (*38.20)
    Speed 36Mbps, Unlimited
    Gift: £65 Reward Card
Large Availability | View All
Cheapest Ultrafast ISPs
  • Hyperoptic £20.00 (*35.00)
    Speed: 150Mbps, Unlimited
    Gift: None
  • Vodafone £24.00 (*27.00)
    Speed: 100Mbps, Unlimited
    Gift: None
  • Community Fibre £25.00 (*29.50)
    Speed: 300Mbps, Unlimited
    Gift: None
  • Gigaclear £27.00 (*59.00)
    Speed: 500Mbps, Unlimited
    Gift: None
  • Virgin Media £27.00 (*51.00)
    Speed: 108Mbps, Unlimited
    Gift: None
Large Availability | View All
The Top 20 Category Tags
  1. FTTP (3499)
  2. BT (3008)
  3. Politics (1923)
  4. Building Digital UK (1917)
  5. FTTC (1882)
  6. Openreach (1821)
  7. Business (1676)
  8. Mobile Broadband (1469)
  9. Statistics (1405)
  10. FTTH (1364)
  11. 4G (1271)
  12. Fibre Optic (1166)
  13. Virgin Media (1159)
  14. Wireless Internet (1151)
  15. Ofcom Regulation (1139)
  16. Vodafone (836)
  17. EE (830)
  18. TalkTalk (760)
  19. 5G (760)
  20. Sky Broadband (744)
Helpful ISP Guides and Tips

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact