Monday, May 5, 2025
HomeCVE/vulnerabilityDrayTek Router Vulnerability Exploited in the Wild – Linked to Reboot Loop...

DrayTek Router Vulnerability Exploited in the Wild – Linked to Reboot Loop Issue

Published on

SIEM as a Service

Follow Us on Google News

The cybersecurity world has been abuzz with reports of widespread reboots affecting DrayTek routers across the globe.

While the exact cause of these reboots remains largely unconfirmed, GreyNoise has brought to light significant in-the-wild exploitation of several known vulnerabilities in DrayTek devices.

Although a direct link between this activity and the reported reboots cannot be firmly established, the data serves as a crucial alert for network defenders to remain vigilant and take proactive measures.

- Advertisement - Google News

Observed Vulnerability Exploits

GreyNoise’s Global Observation Grid (GOG) has identified in-the-wild activity targeting several Common Vulnerabilities and Exposures (CVEs) affecting DrayTek routers:

  • CVE-2020-8515: This is a remote code execution vulnerability present in multiple DrayTek router models. While there has been no activity in the past 24 hours, 82 IP addresses were observed exploiting this vulnerability over the last 30 days, with the majority of sessions originating from Indonesia, Hong Kong, and the United States.
  • CVE-2021-20123 & CVE-2021-20124: Both are directory traversal vulnerabilities within DrayTek’s VigorConnect. Activity has been observed in the past 24 hours for both CVEs, with 23 and 22 IP addresses involved over the past month, respectively. The top countries targeted by these sessions are Lithuania, the United States, and Singapore.

Importance of Vigilance

Despite the absence of definitive evidence linking these exploits to the recent wave of router reboots, they highlight the ongoing threat landscape facing network infrastructure devices.

The exploitation of these vulnerabilities poses significant security risks, including the potential for unauthorized access to network systems.

Recommendations for Network Defenders

  1. Monitor Network Activity: Utilize tools like GreyNoise’s GOG to monitor for suspicious activity related to these CVEs.
  2. Block Malicious IPs: Implement firewall rules to block IP addresses identified as malicious.
  3. Update Firmware: Ensure all DrayTek routers are running the latest firmware, as updates often include patches for known vulnerabilities.
  4. Secure Passwords: Use strong, unique passwords for router access to prevent unauthorized login attempts.

While the connection between these vulnerabilities and the global reboots remains speculative, the continued exploitation of these CVEs underscores the need for vigilance and proactive security measures.

As network devices become increasingly critical infrastructure, staying ahead of emerging threats is paramount.

By leveraging intelligence from organizations like GreyNoise and taking swift action to secure vulnerable devices, network administrators can safeguard against potential exploits and ensure the stability of their networks.

In the fast-evolving landscape of cybersecurity, staying informed and prepared is key to mitigating emerging threats.

As more data becomes available regarding the reboots and their possible causes, the importance of maintaining robust security practices will only grow.

With ongoing vigilance and the implementation of robust security protocols, the risks associated with these vulnerabilities can be effectively managed.

This not only protects individual networks but also contributes to a more secure global digital environment.

Are you from SOC/DFIR Teams? – Analyse Malware, Phishing Incidents & get live Access with ANY.RUN -> Start Now for Free. 

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Claude AI Abused in Influence-as-a-Service Operations and Campaigns

Claude AI, developed by Anthropic, has been exploited by malicious actors in a range...

Threat Actors Attacking U.S. Citizens Via Social Engineering Attack

As Tax Day on April 15 approaches, a alarming cybersecurity threat has emerged targeting...

TerraStealer Strikes: Browser Credential & Sensitive‑Data Heists on the Rise

Insikt Group has uncovered two new malware families, TerraStealerV2 and TerraLogger, attributed to the...

MintsLoader Malware Uses Sandbox and Virtual Machine Evasion Techniques

MintsLoader, a malicious loader first observed in 2024, has emerged as a formidable tool...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Claude AI Abused in Influence-as-a-Service Operations and Campaigns

Claude AI, developed by Anthropic, has been exploited by malicious actors in a range...

Threat Actors Attacking U.S. Citizens Via Social Engineering Attack

As Tax Day on April 15 approaches, a alarming cybersecurity threat has emerged targeting...

TerraStealer Strikes: Browser Credential & Sensitive‑Data Heists on the Rise

Insikt Group has uncovered two new malware families, TerraStealerV2 and TerraLogger, attributed to the...