{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/294418#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nA remote code execution (RCE) vulnerability was discovered through the EasyVPN and LAN web administration interface of Vigor routers by Drayteck. A script in the LAN web administration interface uses an unitialized variable, allowing an attacker to inject arbitrary commands through memory corruption with specially crafted HTTP requests.\r\n\t\r\n### Description\r\nVigor routers are business-grade routers, designed for small to medium-sized businesses, made by Draytek. These routers provide routing, firewall, VPN, content-filtering, bandwidth management, LAN (local area network), and multi-WAN (wide area network) features. Draytek uses proprietary firmware, DrayOS, on the Vigor router line. The DrayOS features EasyVPN and LAN Web Administrator facilitate easy setup for administrators. EasyVPN simplifies the setup of secure VPN connections. LAN Web Administrator provides a browser-based user interface for router management.\r\n\r\nWhen a user interacts with the LAN Web Administration interface, the user interface elements trigger actions that generate HTTP requests to interact with the local server. This process contains an uninitialized variable. Due to the uninitialized variable, an unauthenticated attacker could perform memory corruption on the router via specially crafted HTTP requests to hijack execution or inject malicious payloads.\r\nIf EasyVPN is enabled, the flaw could be remotely exploited through the VPN interface.\r\n\r\n### Impact\r\nA remote, unathenticated attacker can exploit this vulnerability through accessing the LAN interface - or potentially the WAN interface- if EasyVPN is enabled or remote administration over the internet is activated. If a remote, unauthenticated attacker leverages this vulnerability, they can execute arbitrary code on the router (RCE) and gain full control of the device. A successful attack could result in a attacker gaining root access to a Vigor router, installing backdoors, reconfiguring network settings, and blocking traffic. An attacker may also pivot for lateral movement through intercepting internal communications and bypassing VPNs. \r\n\r\n### Solution\r\nThe DrayTek Security team has developed a series of patches to remediate the vulnerability, and all users of Vigor routers should upgrade to the latest version ASAP. The patches can be found on the [resources](https://www.draytek.com/support/resources?type=version) page of the DrayTek webpage, and the security advisory can be found within the [about](https://www.draytek.com/about/security-advisory/use-of-uninitialized-variable-vulnerabilities/) section of the DrayTek webpage. Consult either the CVE listing or the advisory page for a full list of affected products. \r\n\r\n### Acknowledgements\r\nThanks to the reporter, Pierre-Yves (maes.challenge@gmail.com) from ChapVision.This document was written by Ayushi Kriplani.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"},{"category":"other","text":"The issue is confirmed, and here is the patch list\r\n\r\nV3912/V3910/V2962/V1000B\t4.4.3.6/4.4.5.1\r\nV2927/V2865/V2866\t4.5.1\r\nV2765/V2766/V2763/V2135\t4.5.1\r\nV2915\t4.4.6.1\r\nV2862/V2926\t3.9.9.12\r\nV2952/3220\t3.9.8.8\r\nV2860/V2925\t3.9.8.6\r\nV2133/V2762/V2832\t3.9.9.4\r\nV2620/LTE200\t3.9.9.5","title":"Vendor statment from DrayTek Corporation"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/294418"},{"url":"https://www.draytek.com/about/security-advisory/use-of-uninitialized-variable-vulnerabilities/","summary":"https://www.draytek.com/about/security-advisory/use-of-uninitialized-variable-vulnerabilities/"},{"url":"https://www.draytek.com/support/resources?type=version","summary":"https://www.draytek.com/support/resources?type=version"}],"title":"Vigor routers running DrayOS are vulnerable to RCE via EasyVPN and LAN web administration interface","tracking":{"current_release_date":"2026-03-02T14:21:15+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#294418","initial_release_date":"2025-10-03 11:35:31.026053+00:00","revision_history":[{"date":"2026-03-02T14:21:15+00:00","number":"1.20260302142115.4","summary":"Released on 2026-03-02T14:21:15+00:00"}],"status":"final","version":"1.20260302142115.4"}},"vulnerabilities":[{"title":"An uninitialized variable in the HTTP CGI request arguments processing component of Vigor Routers running DrayOS may allow an attacker the ability to perform RCE on the appliance through memory corruption.","notes":[{"category":"summary","text":"An uninitialized variable in the HTTP CGI request arguments processing component of Vigor Routers running DrayOS may allow an attacker the ability to perform RCE on the appliance through memory corruption."}],"cve":"CVE-2025-10547","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#294418"}],"product_status":{"known_affected":["CSAFPID-682c9258-34db-11f1-8422-122e2785dc9f"]}}],"product_tree":{"branches":[{"category":"vendor","name":"DrayTek Corporation","product":{"name":"DrayTek Corporation Products","product_id":"CSAFPID-682c9258-34db-11f1-8422-122e2785dc9f"}}]}}