Researchers at Trellix have discovered a critical unauthenticated remote code execution (RCE) vulnerability impacting 29 models of the DrayTek Vigor series of business routers.
The vulnerability is tracked as CVE-2022-32548 and carries a maximum CVSS v3 severity score of 10.0, categorizing it as critical.
The attacker does not need credentials or user interaction to exploit the vulnerability, with the default device configuration making the attack viable via the internet and LAN.
Hackers who exploit this vulnerability could potentially perform the following actions:
- complete device takeover,
- information access,
- laying the ground for stealthy man-in-the-middle attacks,
- changing DNS settings,
- using the routers as DDoS or cryptominer bots,
- or pivoting to devices connected to the breached network.
Dutch