DrayTek Reveal Multiple New Security Vulnerabilities in their Routers
Customers of DrayTek‘s popular broadband routers, which are a familiar name in the UK ISP world, have this week been notified about two recently published security vulnerabilities in several of their products – both of which have a Common Vulnerability Score (CVSS) of 9.8 out of 10. But don’t worry, new firmware already exists to patch them.
In security terms, the past few months have been rather bumpy for DrayTek, which took a hit late last year after Forescout Research identified 14 security vulnerabilities in 24 models of their popular Vigor routers (here). The latest development is that several new critical security vulnerabilities have impacted the company’s routers, which were only published at the end of February 2025 after being discovered on 9th October 2024.
The first one, CVE-2024-51138, reflects a Stack-based buffer overflow in the TR069 STUN server that may allow remote code execution with elevated privileges. The second one, CVE-2024-51139, is another type of Buffer Overflow exploit – in multiple Vigor routers – that allows remote code execution via HTTP POST requests. Thanks to Fred for the news tip.
Advertisement
The good news is that DrayTek patched these by releasing new firmware versions around November 2024 (depending on model), although they’ve only now begun contacting customers on their mailing list to urge them to “upgrade your firmware immediately“. The company also posted a related notice on their website last week (here).
DrayTek’s Email Notice
If remote access is enabled:
➤ Disable it unless absolutely necessary.
➤ Use an access control list (ACL) and enable 2FA if possible.
➤ For unpatched routers, disable both remote access (admin) and SSL VPN.
➤ Note: ACL doesn’t apply to SSL VPN (Port 443), so temporarily disable SSL VPN until upgraded.Affected Products and Fixed Firmware Versions:
Vigor2620 LTE – 3.9.9.1
VigorLTE 200n – 3.9.9.1
Vigor2133 – 3.9.9.2
Vigor2135 – 4.4.5.5
Vigor2762 – 3.9.9.2
Vigor2765 – 4.4.5.5
Vigor2766 – 4.4.5.5
Vigor2832 – 3.9.9.2
Vigor2860 / 2860 LTE – 3.9.8.3
Vigor2862 / 2862 LTE – 3.9.9.8
Vigor2865 / 2865 LTE / 2865L-5G – 4.4.5.8
Vigor2866 / 2866 LTE – 4.4.5.8
Vigor2925 / 2925 LTE – 3.9.8.3
Vigor2926 / 2926 LTE – 3.9.9.8
Vigor2927 / 2927 LTE / 2927L-5G – 4.4.5.8
Vigor2962 – 4.3.2.9 – 4.4.3.2
Vigor3910 – 4.3.2.9 / 4.4.3.2
Vigor3912 – 4.3.6.2 / 4.4.3.2
DrayTek has since thanked the Faraday Security Research team, which has posted more details about the issues online (here), for their “efforts in security testing and timely reporting the vulnerability“.
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on X (Twitter), Mastodon, Facebook, BlueSky, Threads.net and Linkedin.
« Full Fibre Broadband ISP Hyperoptic Appoint Openreach Vet as COO
Broadband ISP Sky Business Launch UK Cloud Voice Service »
Advertisement
Leave a Reply
Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your entries for comment content, display name, IP and email in our database, for as long as the post remains live.
Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.
Familiar name in the UK ISP world? I thought they had vanished, I have not seen any of their routers for a few years.
Oh the Draytek’s are alive and unwell – they’re the favourite of many IT companies who throw those expensive piles of garbage into customer setups, complete with the reliability issues, hostile interface, and randomly breaking feature sets… my policy is to remove them anytime I come across them.
They were just as bad in the ADSL days where they were causing many a sync loss and thus service loss event – despite being one of the few ‘approved’ modems that had passed the BT/Openreach MCT (modem conformance testing).
Anytime I see some company install them, I assume they’ll be incompetent.
Draytek routers are slowly turning into garbage. UK Support is slow or close to non-existent. Constant issues with their firmware. Plenty comments like that on their UK forums as well. We are ditching them ASAP.
I have to agree, I replaced a 100mb for a Gb version, I raised a support request on the first day of installation, what support, in the end, I decided to return it, the first one worked perfectly on fiber, only limited but bandwidth, the Gb had problems.
I decided Draytek was a brand to avoid when they issued a fix to a WPA2 vuln with no details about what they’d done to fix it (whilst every other vendor did).
That was after finding out that the management logon screen was displayed on an interface it was disabled on – you just couldn’t log on to it. Talk about a breach waiting to happen. Said everything you needed to know about whether “security by design” was their strategy.
Compared to that, the inability to set the DHCP server to serve more than 254 addresses even on an interface set to a netmask smaller than 24 was a minor thing 🙂
All this was 5-8 years ago.
I hate that the vpn service is enabled by default (witch is where the original exploit happened) when you have it in factory defualt state (nothing should be open WAN side until you configured it)
Need to reset a draytek because the Web pannel is now unaccessible and can’t ping it anymore
I read about a load of vulnerabilities in TP link routers. My parents ax1800 hasn’t been updated since 2023-08-18. I don’t understand why this happens, government must do more to ensure manufacturers update firmware to fix security issues.
I’ve had similar issues with a few OEMs, these days I make sure to buy stuff with can have alternative OSs installed e.g. WRT, opnsense, etc.
I have had Draytek routers for many years though I am disappointed that these vulnerabilities are becoming commonplace. I do install the latest updates as soon as possible. There are so many options in these routers that I’m not too surprised that some things get overlooked in the testing regimes and only get discovered when they are out in the field.
I have never found the need to call support as my configuration is simple – I do not need many of the features included. That said, the documentation seems to have been written for insiders who know the Draytek range intimately and know how the features work in detail. It seems to me that users who are either new to the product or those that do not know or understand the features offered will have difficulty understanding some of Draytek manuals. If features are set up incorrectly then that might cause serious network or security problems. All that said, I have found (in over 50 years starting with Intel) that the majority of tech manuals (not just Draytek) have been written by technical staff who know their product but have no idea how to communicate with the users/purchasers who often have to learn by trial and error.
It is a good job there are dedicated souls that devote their careers to finding bugs. I suspect it is a thankless task!
Make sure the vpn service is disabled if you don’t use it as its enabled and open to Internet side (it’s where the orginal compromise happened)
Pretty pleased with my Draytek, it’s the only brand of router where uptime is many months, in fact the only time it ever needs to reboot is firmware.
This article is incorrect. The issue was fixed in November, and customers were contacted at the time. They were also reminded a few days ago.
This is not only last year’s news, it’s pretty non-news
I have had a DrayTek for many years, still used, now eol. However the company still provides updates, the latest were applied a couple of months ago. Its up to the owner to keep the router updated, and also turn off ports that are open to the internet, unless there is an overriding need.
If someone wants a simple router, with limited monitoring, then use the ISP supplied one, mine is in its original box.
One thing you must do is turn off the vpn service as its enabled by defualt (note it’s under the service page, it’s not on the same page as the vpn configuration page)
Big fan of DrayTek’s hardware. I live in a FTTC only location and bought their Vigor 130 used off eBay years ago and it is rock solid.
I use pfsense with pfgblocker, trackers and floating adverts no longer bother me.
My AP is Asus Wifi 6.
I had to stop data leaks and all sort of rubbish getting into and out of my system.