DrayTek Router Vulnerability Exploited in the Wild – Linked to Reboot Loop Issue

The cybersecurity world has been abuzz with reports of widespread reboots affecting DrayTek routers across the globe.

While the exact cause of these reboots remains largely unconfirmed, GreyNoise has brought to light significant in-the-wild exploitation of several known vulnerabilities in DrayTek devices.

Although a direct link between this activity and the reported reboots cannot be firmly established, the data serves as a crucial alert for network defenders to remain vigilant and take proactive measures.

Observed Vulnerability Exploits

GreyNoise’s Global Observation Grid (GOG) has identified in-the-wild activity targeting several Common Vulnerabilities and Exposures (CVEs) affecting DrayTek routers:

• CVE-2020-8515: This is a remote code execution vulnerability present in multiple DrayTek router models. While there has been no activity in the past 24 hours, 82 IP addresses were observed exploiting this vulnerability over the last 30 days, with the majority of sessions originating from Indonesia, Hong Kong, and the United States.
• CVE-2021-20123 & CVE-2021-20124: Both are directory traversal vulnerabilities within DrayTek’s VigorConnect. Activity has been observed in the past 24 hours for both CVEs, with 23 and 22 IP addresses involved over the past month, respectively. The top countries targeted by these sessions are Lithuania, the United States, and Singapore.

Importance of Vigilance

Despite the absence of definitive evidence linking these exploits to the recent wave of router reboots, they highlight the ongoing threat landscape facing network infrastructure devices.

The exploitation of these vulnerabilities poses significant security risks, including the potential for unauthorized access to network systems.

Recommendations for Network Defenders

1. Monitor Network Activity: Utilize tools like GreyNoise’s GOG to monitor for suspicious activity related to these CVEs.
2. Block Malicious IPs: Implement firewall rules to block IP addresses identified as malicious.
3. Update Firmware: Ensure all DrayTek routers are running the latest firmware, as updates often include patches for known vulnerabilities.
4. Secure Passwords: Use strong, unique passwords for router access to prevent unauthorized login attempts.

While the connection between these vulnerabilities and the global reboots remains speculative, the continued exploitation of these CVEs underscores the need for vigilance and proactive security measures.

As network devices become increasingly critical infrastructure, staying ahead of emerging threats is paramount.

By leveraging intelligence from organizations like GreyNoise and taking swift action to secure vulnerable devices, network administrators can safeguard against potential exploits and ensure the stability of their networks.

In the fast-evolving landscape of cybersecurity, staying informed and prepared is key to mitigating emerging threats.

As more data becomes available regarding the reboots and their possible causes, the importance of maintaining robust security practices will only grow.

With ongoing vigilance and the implementation of robust security protocols, the risks associated with these vulnerabilities can be effectively managed.

This not only protects individual networks but also contributes to a more secure global digital environment.

Are you from SOC/DFIR Teams? – Analyse Malware, Phishing Incidents & get live Access with ANY.RUN -> Start Now for Free.