Draytek identifies RCE vulnerability in Vigor routers via EasyVPN and LAN interface
Overview
A remote code execution (Reinforcement Coordination Engine (RCE)) vulnerability was discovered through the EasyVPN and Local Area Network (LAN) web administration interface of Vigor routers by Drayteck. A script in the LAN web administration interface uses an unitialized variable, allowing an attacker to inject arbitrary commands through memory corruption with specially crafted Hypertext Transfer Protocol (HTTP) requests.
Description
Vigor routers are business-grade routers, designed for small to medium-sized businesses, made by Draytek. These routers provide routing, firewall, Virtual Private Network (VPN), content-filtering, bandwidth management, LAN (LAN), and multi-WAN (Wide Area Network (WAN)) features. Draytek uses proprietary firmware, DrayOS, on the Vigor router line. The DrayOS features EasyVPN and LAN Web Administrator facilitate easy setup for administrators. EasyVPN simplifies the setup of secure VPN connections. LAN Web Administrator provides a browser-based user interface for router management.
When a user interacts with the LAN Web Administration interface, the user interface elements trigger actions that generate HTTP requests to interact with the local server. This process contains an uninitialized variable. Due to the uninitialized variable, an unauthenticated attacker could perform memory corruption on the router via specially crafted HTTP requests to hijack execution or inject malicious payloads. If EasyVPN is enabled, the flaw could be remotely exploited through the VPN interface.
Impact
A remote, unathenticated attacker can exploit this vulnerability through accessing the LAN interface - or potentially the Wide Area Network (WAN) interface- if EasyVPN is enabled or remote administration over the internet is activated. If a remote, unauthenticated attacker leverages this vulnerability, they can execute arbitrary code on the router (RCE) and gain full control of the device. A successful attack could result in a attacker gaining root access to a Vigor router, installing backdoors, reconfiguring network settings, and blocking traffic. An attacker may also pivot for lateral movement through intercepting internal communications and bypassing VPNs.
Solution
The DrayTek Security team has developed a series of patches to remediate the vulnerability, and all users of Vigor routers should upgrade to the latest version ASAP. The patches can be found on the resources page of the DrayTek webpage, and the security advisory can be found within the about section of the DrayTek webpage. Consult either the Common Vulnerabilities and Exposures (CVE) listing or the advisory page for a full list of affected products.
Acknowledgements
Thanks to the reporter, Pierre-Yves ([email protected]).This document was written by Ayushi Kriplani.
Vendor Information
One or more vendors are listed for this advisory. Please reference the full report for more information.
References
- https://www.draytek.com/about/security-advisory/use-of-uninitialized-variable-vulnerabilities/
- https://www.draytek.com/support/resources?type=version
Other Information
| CVE Intrusion Detection System (IDS): | CVE-2025-10547 |
| Date Public: | 2025-10-03 |
| Date First Published: | 2025-10-03 |
| Date Last Updated: | 2025-10-16 18:51 UTC |
| Document Revision: | 3 |
- About vulnerability notes
- Contact us about this vulnerability
- Provide a vendor statement