DrayOS Routers Vulnerability Enables Remote Code Execution

Researchers disclosed a critical security flaw in DrayOS-powered enterprise routers that allows unauthenticated remote attackers to trigger memory corruption, system crashes, and potentially execute arbitrary code.

The vulnerability resides in the Web User Interface (WebUI), which accepts HTTP(S) requests without sufficient input validation. If exploited, attackers could gain complete control of affected devices and pivot deeper into corporate networks.

Vulnerability Details and Exploitation

The flaw can be triggered when crafted HTTP or HTTPS requests are sent to the WebUI over network interfaces where remote access is enabled.

During malicious interactions, the WebUI fails to properly handle specially crafted parameters, leading to memory corruption.

A successful attack may crash the device, disrupting network connectivity. In specific configurations, attackers can leverage the crash to overwrite memory regions and execute shell commands with root privileges.

No authentication is required, and proof-of-concept exploits demonstrate remote code execution on versions before the patched firmware.

While the vulnerability’s public designation is yet to receive a CVE identifier, its impact mirrors high-severity remote code execution flaws historically exploited in routers.

Exploitation from the Wide Area Network (WAN) is prevented when WebUI and SSL VPN services are disabled or protected by properly configured Access Control Lists (ACLs).

However, if remote access remains enabled, the risk is pervasive.

Even within Local Area Networks (LANs), an attacker with network access can target the WebUI.

On certain router models, LAN-side VLAN segmentation and ACLs can limit local WebUI access, but these controls are optional and dependent on correct configuration.

Affected Models and Firmware Updates

DrayTek has released firmware updates for all impacted models. Users must update to the minimum firmware versions listed below to eliminate the vulnerability.

Failure to upgrade exposes routers to remote exploits that can compromise network integrity and allow lateral movement by threat actors.

To safeguard networks immediately, administrators should disable remote WebUI and SSL VPN access on the WAN interface and enforce ACL rules that restrict WebUI reachability to trusted hosts only.

Where possible, implement VLAN segmentation on the LAN side to isolate management interfaces.

Organizations relying on remote management should adopt out-of-band solutions, such as dedicated management networks or zero-trust remote access tools, to reduce exposure.

Beyond network controls, prompt firmware updates are essential.

Confirm devices are running at least the recommended versions and schedule routine patch audits to identify any outdated installations.

Regularly review DrayTek security advisories and subscribe to vulnerability feeds for timely alerts.

Finally, conduct periodic penetration tests to validate that all remote management interfaces are correctly secured and monitor router logs for abnormal WebUI request patterns indicative of exploitation attempts.

We extend our sincere appreciation to Pierre-Yves MAES from ChapsVision for his responsible disclosure and timely reporting of this vulnerability, which has contributed to strengthening our security measures.

Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today