Networking vendor DrayTek has warned customers of a serious memory-safety flaw in multiple Vigor router models that can be triggered remotely via the device Web user interface and, in certain circumstances, may allow unauthenticated attackers to cause memory corruption or achieve remote code execution. The company released firmware updates and mitigation guidance after a security researcher reported the issue and demonstrated a working exploit against affected devices.
The defect stems from an uninitialized stack variable in the WebUI code that can lead to an arbitrary free of memory, producing heap corruption conditions that attackers can weaponize. The vulnerability is tracked as CVE-2025-10547 and affects a broad set of Vigor models used by prosumers, small and medium businesses, and telecoms. DrayTek advised administrators to install the vendor-supplied firmware updates immediately and to restrict or disable remote WebUI access until patches are applied. DrayTek security advisory
“Successful exploitation may cause memory corruption and a system crash, with the potential in certain circumstances to allow remote code execution.”
DrayTek’s advisory explains that the flaw is exploitable when specially crafted HTTP or HTTPS requests are processed by the WebUI. While disabling WAN-facing management interfaces and SSL VPN services reduces exposure, the vendor cautioned that the WebUI remains reachable from local networks, meaning attackers with local access or footholds can still exploit an unpatched device. The company provided model-specific firmware targets to remediate the vulnerability and urged operators to validate device firmware and network access controls.
DrayTek Vigor RCE: Technical Summary and Risk
Researchers who examined the issue say the root cause is an uninitialized variable that becomes an attacker-controlled pointer or length used by downstream code paths. When such uninitialized memory is freed improperly, heap metadata can be corrupted and exploited to alter program control flow. In practice, this class of bug can permit a skilled attacker to escalate from denial-of-service conditions to arbitrary code execution by carefully shaping heap state and invoking subsequent memory operations.
The vulnerability is particularly concerning because many Vigor routers run in environments where remote management is enabled by default or has been left accessible for convenience. Attackers who can reach the WebUI — whether over the internet due to exposed management ports, via poorly configured VPNs, or from a compromised device on the LAN — could trigger the flaw without authenticating. The presence of a proof-of-concept exploit in the wild heightens urgency for patch application.
Operational impacts include potential device crashes, persistent compromise of routers used as network gateways, and the ability for attackers to install backdoors or pivot into internal networks. Because routers mediate traffic and provide DNS, VPN and firewall services, a successful exploit can yield long-term, stealthy access to enterprise and residential networks.
Affected Vigor Models And Mitigation
DrayTek published a list of affected Vigor series models alongside the minimum firmware versions that remediate the flaw. The impacted line-up spans flagship and legacy units frequently deployed in small office/home office and telecom contexts, underscoring the broad exposure across customer bases. System administrators should immediately inventory Vigor devices, confirm firmware versions, and schedule upgrades to the vendor-specified releases.
As an interim mitigation where immediate patching is impractical, DrayTek recommends disabling remote WebUI and SSL VPN access, applying ACLs or VLAN segmentation to restrict management-plane connectivity, and blocking management ports at the network perimeter. Organizations should also rotate administrative credentials, enforce strong authentication for device access, and enable enhanced logging and alerting to detect anomalous WebUI requests or unexpected crashes.
Network defenders are advised to treat unexplained router reboots, WebUI errors, or unusual outbound connections from gateway devices as potential indicators of attempted exploitation. For environments that cannot update firmware at once, isolating affected routers on management networks and applying micro-segmentation can substantially reduce risk.
“Disable WAN-facing WebUI access or restrict management to trusted subnets until devices are updated,” the vendor guidance recommends.
Patch prioritization should focus first on internet-facing devices and routers used by high-value customers or in central aggregation roles. Following updates, teams should verify device integrity, audit for unexpected configuration changes, and review logs for evidence of prior exploitation. Where evidence of compromise is found, organizations should assume potential lateral movement and conduct a broader incident response, including credential resets, forensic imaging and, where needed, device replacement.
DrayTek credited the reporting researcher and indicated that additional technical details would be disclosed in a coordinated manner. The vendor’s advisory is the authoritative source for firmware images, release notes and specific model guidance; administrators should obtain updates directly from official DrayTek support channels and avoid unverified third-party firmware distributions. DrayTek security advisory
The discovery reaffirms the persistent risk posed by memory-safety defects in embedded networking equipment and the operational challenge of patching distributed devices. Given the potential for long-lived access following router compromise, network operators should integrate router firmware management into broader vulnerability and asset-management programs and test patch procedures in controlled windows to minimize service disruption.
For now, the immediate priorities are clear: apply the available firmware fixes, remove or restrict WAN-facing management interfaces, monitor for signs of exploitation, and validate that management controls are robust. Failure to act promptly leaves networks exposed to attacks that can move from denial-of-service to full remote code execution on critical gateway devices.
