Security researchers have disclosed CVE-2025-10547, a severe vulnerability in DrayTek’s DrayOS operating system that powers multiple Vigor router models.
The flaw affects the Web User Interface (WebUI), which administrators use to manage their routers. By sending specially crafted HTTP or HTTPS requests, an attacker can trigger memory corruption inside the router’s software.
Because the bug requires no authentication, a remote attacker can exploit the flaw without valid credentials. This dramatically raises the risk for organizations that expose their routers’ WebUI to the internet.
Impact of Exploitation
If attackers exploit CVE-2025-10547, they can achieve remote code execution (RCE). In practice, this means adversaries could:
-
Run arbitrary code on the router
-
Install malware, backdoors, or botnet clients
-
Intercept, modify, or redirect network traffic
-
Use the router as a pivot into the wider enterprise network
Routers act as a gateway between internal systems and the internet, making this type of compromise especially dangerous. A single exploited router can quickly escalate into a full network breach.
DrayTek confirmed that many Vigor series models are affected, including:
-
Vigor1000B
-
Vigor2962
-
Vigor286x
-
Vigor291x
-
Vigor292x
-
Vigor295x
-
Vigor3910
-
Vigor3912
Additional models running DrayOS are also under review. Organizations should assume exposure if their firmware is not up to date.
DrayTek has released firmware patches for all affected models. In addition to installing the update, administrators should apply immediate mitigations to reduce attack surface:
-
Disable WebUI and SSL VPN access from the WAN interface
-
Restrict WebUI access using Access Control Lists (ACLs) tied to trusted IP addresses
-
Use VLAN segmentation to limit unauthorized access within LAN networks
-
Monitor router logs for signs of unusual or unauthorized activity
While these steps lower the risk, patching is the only permanent fix.
Why This Vulnerability Is Critical
Attackers frequently target routers because they sit at the perimeter of the network. A successful exploit can provide long-term persistence, visibility into all traffic, and a launchpad for lateral movement.
CVE-2025-10547 is especially critical because it:
-
Requires no authentication
-
Can be exploited remotely over the internet
-
Impacts a broad set of enterprise-class devices
-
Provides full control of the target system
Therefore, any delay in patching could give adversaries a permanent foothold in enterprise or ISP networks.
CVE-2025-10547 in DrayOS routers is a high-risk vulnerability that requires urgent action. Organizations should immediately apply the latest firmware updates, disable external WebUI access, and strengthen access controls.
Leaving devices unpatched exposes enterprises to remote compromise, data theft, and persistent infiltration. Even infrastructure considered “niche,” like weather routers or VPN gateways, can quickly become a stepping stone for major network intrusions.
FAQs
Q: What is CVE-2025-10547?
A: It’s a remote code execution vulnerability in DrayOS routers that allows attackers to run malicious code without authentication.
Q: Which routers are affected?
A: Multiple DrayTek Vigor models, including 1000B, 2962, 286x, 291x, 292x, 295x, 3910, and 3912.
Q: How can attackers exploit this flaw?
A: By sending crafted HTTP/HTTPS requests to the router’s WebUI, triggering memory corruption that leads to code execution.
Q: How should organizations respond?
A: Apply firmware updates, disable WAN WebUI access, enforce ACLs, and monitor for suspicious activity.
