CVE-2025-10547

A use of uninitialized variable vulnerability exists in the HTTP CGI request arguments processing component of DrayOS firmware running on Draytek Vigor routers [1][2]. This programming flaw can lead to memory corruption when specially crafted HTTP requests are processed by the router's web interface.

The vulnerability can be exploited by an unauthenticated remote attacker who sends a malicious HTTP or HTTPS request to the device's Web User Interface (WebUI) [1]. By default, the WebUI is accessible from the local LAN. However, if EasyVPN is enabled or remote administration over the internet is activated, the attack surface extends to the WAN. Additionally, access control lists (ACLs) can mitigate exposure, but an attacker on the local network can still exploit it [1].

Successful exploitation allows the attacker to execute arbitrary code on the router, effectively gaining root-level control [2]. This could enable an attacker to install backdoors, reconfigure network settings, intercept traffic, and use the device for lateral movement within the network [2].

Draytek has released firmware updates for affected models to remediate this vulnerability [1]. Users are strongly advised to upgrade to the specified firmware versions. As a temporary measure, disabling remote access to the WebUI and EasyVPN, and implementing proper ACLs can reduce risk [1].