DrayTek has disclosed a critical vulnerability, tracked as CVE-2025-10547, that enables unauthenticated remote code execution (RCE) on multiple Vigor router models via specially crafted HTTP/HTTPS requests to the web management interface. A working proof-of-concept (PoC) exploit exists, significantly elevating the risk of rapid weaponization once more technical details circulate.
Technical overview: memory corruption leading to RCE
According to DrayTek’s security advisory and reporting shared with BleepingComputer, the root cause involves an uninitialized stack value that can coerce free() into releasing an arbitrary memory region (arbitrary free). This condition enables controlled memory corruption and ultimately RCE. The flaw was identified by Pierre-Yves Maes of ChapsVision, who validated exploitation on affected hardware using a demo PoC. In practical terms, an external attacker can execute system-level commands on the device without authentication if the vulnerable interface is reachable.
Attack surface: web admin over HTTP/HTTPS and SSL VPN exposure
The primary trigger is exposure of the web-based management interface over HTTP/HTTPS. DrayTek advises disabling web administration from WAN and tightening access to SSL VPN using access control lists (ACL) and VLAN segmentation. Even with WAN access closed, the interface remains reachable on the LAN, leaving risk from malicious insiders or compromised internal hosts.
Affected devices and vendor patches
Multiple Vigor models are impacted. Updated firmware is available, and administrators should upgrade immediately to the versions listed in DrayTek’s official bulletin. Before patching, back up current configurations and schedule an appropriate maintenance window. After the update, verify device health, service availability, and the integrity of security policies (ACL/NAT/firewall rules).
Why edge routers raise the stakes
Perimeter routers govern north–south traffic and often serve as the first line of defense. A compromise can enable route manipulation, traffic interception, insertion of malicious firewall/NAT rules, and lateral movement. Historically, SOHO/SMB routers have been prime targets for botnets like Mirai/Mozi and state-aligned actors, with mass Internet scanning routinely identifying exposed management interfaces. Keeping WAN management closed and firmware current materially reduces attack surface.
Risk mitigation: immediate actions for DrayTek Vigor
Patch now: Upgrade to the fixed firmware versions from DrayTek without delay. Confirm that WAN web management is disabled. If remote administration is required, restrict by source IP via ACLs, place the interface in a separate management VLAN, and prefer VPN access with MFA.
Harden services: Allow only HTTPS with modern ciphers; disable HTTP and legacy protocols. Use unique, strong credentials and remove or disable any default accounts. Enforce role-based access with least privilege.
Monitor and detect: Enable detailed logging, watch for anomalous logins, config changes, and service restarts, and configure alerts. If you operate IDS/IPS, deploy or update signatures covering CVE-2025-10547 and related HTTP/HTTPS exploit patterns.
Validate integrity: If the web interface was Internet-exposed, perform retrospective log review, verify firmware integrity (e.g., checksums where available), and consider reflashing from a trusted image followed by loading a known-good, minimal configuration. Review the device for persistence mechanisms (startup scripts, unauthorized ACL/NAT rules, scheduled tasks) that could survive a reboot.
Operational recommendations and broader context
Maintain a baseline of exposed services, routinely scan external attack surface, and align with vendor advisories and government guidance (e.g., hardening management interfaces and isolating administrative planes). Given the published PoC and the attractiveness of edge devices to both cybercrime and APT actors, assume public exploitation attempts will follow and prioritize remediation across all affected DrayTek Vigor deployments.
Prompt firmware updates, strict minimization of management exposure (closed WAN admin, IP allowlists, and VLAN segmentation), and continuous monitoring are essential to mitigate CVE-2025-10547. Administrators should act now to patch impacted devices, lock down web and VPN access, and intensify logging and detection to stay ahead of potential automated attacks.
