Researchers have discovered 14 new security vulnerabilities in DrayTek routers that could allow attackers to take control of over 700,000 devices. The flaws, collectively called DRAY:BREAK, were found by Forescout Vedere Labs. Two of the vulnerabilities are rated as critical, with one receiving the maximum CVSS score of 10.0. This flaw, CVE-2024-41592, is a buffer overflow bug in the Web user interface that could lead to denial-of-service or remote code execution.
Another critical vulnerability, CVE-2024-41585, relates to operating system command injection in the communication between the host and guest OS. The remaining vulnerabilities range from medium to high severity and include issues such as cross-site scripting, buffer overflows, and information disclosure.
Flaws discovered in DrayTek routers
Forescout’s analysis revealed that over 704,000 DrayTek routers have their Web UI exposed to the internet, making them vulnerable to attacks. The majority of the exposed devices are located in the U.S., Vietnam, the Netherlands, Taiwan, and Australia. DrayTek has released patches for all the identified flaws, including fixes for 11 end-of-life models.
Forescout advises users to patch their devices, disable remote access if not needed, and use access control lists and two-factor authentication when possible. The discovery of these vulnerabilities comes as cybersecurity agencies from nine countries issued joint guidance for critical infrastructure organizations to maintain secure operational technology environments. The guidance outlines six foundational rules, emphasizing the importance of safety, knowledge of the business, protecting OT data, segmenting networks, securing the supply chain, and the role of people in OT cybersecurity.
