CISA issues alert on Draytek Vigor routers RCE vulnerability via EasyVPN and LAN interfaces

Draytek's Vigor routers incorporating the DrayOS firmware exhibit a remote code execution vulnerability affecting the EasyVPN feature and Local Area Network (LAN) web administration interface. This security flaw allows attackers to inject commands into the device, enabling full control over affected routers.

The vulnerability, identified as CVE-2025-10547, impacts router versions running DrayOS with the EasyVPN and LAN Web Administrator components. It stems from a script in the LAN web interface using an uninitialized variable, which can be exploited through specially crafted Hypertext Transfer Protocol (HTTP) requests to the local server. When EasyVPN is active, the flaw extends to remote exploitation via the Virtual Private Network (VPN) interface. This memory corruption issue occurs without requiring authentication and targets the router’s handling of network interactions over HTTP.

Exploitation by a remote, unauthenticated attacker via LAN access or through Wide Area Network (WAN) interfaces—if EasyVPN is enabled or remote administration is active—can lead to arbitrary code execution. Successful attacks permit root-level access, allowing the installation of backdoors, network configuration changes, traffic obstruction, and potential lateral movement through intercepted internal communications and VPN bypass.

DrayTek has released patches addressing this vulnerability and recommends users update their Vigor router firmware promptly. Details and updates are available on DrayTek’s resources and security advisory web pages. The Common Vulnerabilities and Exposures (CVE) listing and advisory provide comprehensive information regarding the scope of affected products.

Users are encouraged to follow official guidance and refer to vendor resources for mitigation instructions. The advisory acknowledges the contribution of the vulnerability reporter and emphasizes adherence to provided updates for remediation.