DrayTek routers—widely used in small businesses and remote work setups—are facing increased scrutiny following the discovery of 14 critical vulnerabilities in their web-based management interfaces. The flaws, including one rated a maximum 10/10 on the CVSS scale, are now being actively exploited by threat actors.

In a recent investigation conducted by our Incident Response (IR) Team, we identified a ransomware attack that originated from an exploited DrayTek router. With over 700,000 devices exposed to the public internet, this issue represents a serious security risk for businesses and individuals worldwide.

The Vulnerabilities

Security researchers uncovered multiple flaws affecting DrayTek Vigor routers, the most critical being a remote code execution (RCE) vulnerability. Exploiting these weaknesses enables attackers to:

  • Take Full Control of the Router: Using the RCE flaw, attackers can execute commands remotely, essentially turning the router into a backdoor for malicious activities.
  • Install Ransomware and Malware: Once compromised, attackers can deploy ransomware, disrupting operations and locking businesses out of critical systems.
  • Move Laterally Within Networks: With control of the router, attackers can pivot to other connected devices—workstations, servers, and IoT systems—expanding their attack surface.
  • Create Botnets or Launch DDoS Attacks: Attackers can weaponise compromised routers to form botnets, often used for massive distributed denial-of-service (DDoS) attacks.

These vulnerabilities specifically impact the routers’ web-based management interface, a feature that remains exposed on hundreds of thousands of devices. Researchers’ scans revealed 704,000 DrayTek devices with management interfaces accessible via the public internet, making them prime targets for attackers.

Our Incident Response Findings

Over the past week, our Incident Response Team has seen a rise in ransomware cases linked to vulnerable DrayTek routers. In one case, attackers exploited the RCE flaw to gain an initial foothold. From there, they escalated their access, deployed ransomware, and encrypted critical business systems—leading to significant downtime and operational disruption.

DrayTek’s Response

DrayTek has released firmware updates to address these vulnerabilities, including patches for devices that have reached end-of-life status. The company strongly urges all users to:

  • Update their devices immediately,
  • Restrict remote access to router management
  • Follow best practices for securing network infrastructure.

However, in a survey conducted by Forescout Vedere Labs, its reported that a  concerning number of organisations have yet to implement these updates, leaving them exposed to active exploitation.

How to Secure Your DrayTek Routers

To mitigate these risks and prevent attackers from exploiting vulnerable routers, our team recommends the following critical actions:

  • Update Firmware Immediately: Visit DrayTek’s official support page and apply the latest firmware patches for all affected models. Firmware updates close security holes that attackers exploit and are the first line of defense. Neglecting this step leaves your router—and network—wide open to compromise.
  • Disable Remote Access: Turn off remote management features, such as the web-based interface, unless necessary. Remote access significantly increases exposure to external attacks. If remote access is essential, ensure it is protected by a VPN or restricted to trusted IP addresses.
  • Restrict Management Interfaces: Limit access to the management interface to internal networks or specific, pre-approved IP addresses. Public exposure of these interfaces is a leading factor in recent compromises.
  • Adopt Strong Security Practices:
    • Use strong, unique passwords for all accounts. Default or weak credentials are an easy entry point for attackers.
    • Enable two-factor authentication (2FA) where supported to add an extra layer of protection.
    • Regularly audit and rotate passwords to maintain security hygiene.
    • Monitor Network Traffic and Logs:
    • Regularly inspect router logs for unauthorised login attempts, unusual activity, or configuration changes.
    • Deploy network monitoring tools to identify suspicious traffic patterns that may indicate a compromise.
    • Segment Your Network: Use network segmentation to limit the spread of an attack. A compromised router should not provide direct access to critical systems or sensitive data.

Why Routers Are Key Targets

Routers are often overlooked in cyber security strategies, despite their critical role as the gateway to an organisation’s network. Compromising a router enables attackers to bypass perimeter defenses, monitor traffic, and infiltrate connected devices. The recent exploitation of DrayTek devices highlights how attackers capitalise on unpatched, exposed systems to:

  • – Deliver ransomware,
  • – Exfiltrate sensitive data,
  • – Launch large-scale botnet campaigns,
  • – Disrupt operations through DDoS attacks.

For small businesses relying on DrayTek routers, these incidents serve as a wake-up call: patching and securing your network infrastructure is no longer optional—it’s essential.

In summary

Our Incident Response Team has seen first-hand how these vulnerabilities can escalate into full-blown ransomware attacks. Businesses must act immediately to secure their devices and prevent becoming the next target.

If you use DrayTek routers, ensure firmware updates are applied, remote access is disabled, and robust security controls are in place. For organisations unsure of their exposure, conducting a vulnerability assessment is a crucial first step.