Over 200,000 routers commonly used by small- and medium-sized enterprises worldwide are vulnerable to CVE-2022-32548

A remote code execution vulnerability CVE-2022-32548 has been detected in a range of small business routers called Vigor, manufactured by a Taiwan firm DrayTek.

Edge devices such as corporate routers exist at the boundary between internal and external networks, making them a key target for cybercriminals and threat actors. Attacks on these devices can quickly lead to a compromised network and, ultimately, a data breach. 

According to Trellix, which issued the advisory, 200,000 devices with the CVE-2022-32548 vulnerability are currently exposed on the Internet and could be exploited without required interaction. Any the attack can lead to a complete compromise of the device, allowing for a network breach and unauthorized access to internal resources.

In no particular order, any compromised Vigor router can lead to:

  • Leak of the sensitive data stored on the router (keys, administrative passwords, etc.)
  • Hacker access to the internal resources located on the LAN that would normally require VPN-access or be present on the same network
  • Man-in-the-middle eavesdropping of network traffic
  • Spying on DNS requests and other unencrypted traffic directed to the internet from the LAN through the affected router
  • Packet capture of the data going through any port of the router
  • Threats from botnet activity (DDoS, hosting malicious data, etc.)

Organizations using the Vigor series of DrayTek routers are advised to patch to the latest firmware released by the manufacturer that address the vulnerability. Verify that port mirroring, DNS settings, authorized VPN access and other relevant settings have not been tampered with.

Also, do not expose the routers’ management interface to the Internet, and enable 2FA and IP restrictions to minimize attack risks. Finally, change the access passwords of all affected devices and revoke any secret stored on routers that may have been compromised.