CVE-2025-10547: Vigor routers face RCE risk via EasyVPN
Overview
A remote code execution (RCE) vulnerability, tracked as CVE-2025-10547, was discovered through the EasyVPN and Local Area Network (LAN) web administration interface of Vigor routers by Draytek. A script in the LAN web administration interface uses an unitialized variable, allowing an attacker to send specially crafted Hypertext Transfer Protocol (HTTP) requests that cause memory corruption and potentially allow arbitrary code execution.
Description
Vigor routers are business-grade routers, designed for small to medium-sized businesses, made by Draytek. These routers provide routing, firewall, Virtual Private Network (VPN), content-filtering, bandwidth management, LAN (LAN), and multi-WAN (Wide Area Network (WAN)) features. Draytek utilizes a proprietary firmware, DrayOS, on the Vigor router line. DrayOS features the EasyVPN and LAN Web Administrator tool s to facilitate LAN and VPN setup. According to the DrayTek website, “with EasyVPN, users no longer need to generate WireGuard keys, import OpenVPN configuration files, or upload certificates. Instead, VPN can be successfully established by simply entering the username and password or getting the OTP code by email.”
The LAN Web Administrator provides a browser-based user interface for router management. When a user interacts with the LAN Web Administration interface, the user interface elements trigger actions that generate HTTP requests to interact with the local server. This process contains an uninitialized variable. Due to the uninitialized variable, an unauthenticated attacker could perform memory corruption on the router via specially crafted HTTP requests to hijack execution or inject malicious payloads. If EasyVPN is enabled, the flaw could be remotely exploited through the VPN interface.
Impact
A remote, unathenticated attacker can exploit this vulnerability through accessing the LAN interface—or potentially the Wide Area Network (WAN) interface—if EasyVPN is enabled or remote administration over the internet is activated. If a remote, unauthenticated attacker leverages this vulnerability, they can execute arbitrary code on the router (RCE) and gain full control of the device. A successful attack could result in a attacker gaining root access to a Vigor router to then install backdoors, reconfigure network settings, or block traffic. An attacker may also pivot for lateral movement via intercepting internal communications and bypassing VPNs.
Solution
The DrayTek Security team has developed a series of patches to remediate the vulnerability, and all users of Vigor routers should upgrade to the latest version ASAP. The patches can be found on the resources page of the DrayTek webpage, and the security advisory can be found within the about section of the DrayTek webpage. Consult either the Common Vulnerabilities and Exposures (CVE) listing or the advisory page for a full list of affected products.
Acknowledgements
Thanks to the reporter, Pierre-Yves MAES of ChapsVision ([email protected]). This document was written by Ayushi Kriplani.
Vendor Information
One or more vendors are listed for this advisory. Please reference the full report for more information.
References
- https://www.draytek.com/about/security-advisory/use-of-uninitialized-variable-vulnerabilities/
- https://www.draytek.com/support/resources?type=version
Other Information
| CVE Intrusion Detection System (IDS): | CVE-2025-10547 |
| Date Public: | 2025-10-03 |
| Date First Published: | 2025-10-03 |
| Date Last Updated: | 2025-10-03 11:40 UTC |
| Document Revision: | 2 |
- About vulnerability notes
- Contact us about this vulnerability
- Provide a vendor statement