IMMEDIATE SHUTDOWN: Critical RCE Flaw (CVE-2025-10547) in DrayTek Vigor Routers Grants Unauthenticated Root Access    

Chapter 1: CODE RED — This is Not a Drill. Shut Down Your DrayTek Router NOW.

This is an urgent and direct warning to all users of DrayTek Vigor series routers. A critical, unauthenticated Remote Code Execution (RCE) vulnerability, tracked as **CVE-2025-10547**, is under active, widespread, and automated exploitation. The time between an attacker finding your vulnerable router and compromising it can be measured in minutes.

Due to the severity of this flaw and the speed of the attacks, our recommendation is unprecedented: if you are running a vulnerable, internet-exposed device, **you must disconnect it from the internet or shut it down immediately.** This is the only way to guarantee the protection of your network while you prepare to apply the necessary patches and hardening.

Chapter 2: The Threat Analysis — Unauthenticated Command Injection

The vulnerability is a classic, unauthenticated **command injection** in the router's web interface. This is a severe flaw that allows an attacker to gain `root` access with a single web request. For a more technical breakdown of a similar flaw, see our analysis of the **TOTOLINK RCE**.

An attacker can send a malicious HTTP request containing a hidden OS command to the router's login page. The DrayOS software improperly validates this input and executes the attacker's command with the highest privileges, leading to a full system takeover.

Chapter 3: The Defender's Playbook — The 4-Step Shutdown, Patch, and Harden Protocol

Do not attempt to patch this device while it is still connected to the hostile internet. Follow this protocol precisely.

Step 1: CONTAINMENT — Disconnect the Router from the Internet

Unplug the Ethernet cable that connects your DrayTek router to your modem (the cable in the "WAN" port). Your internet will go down. This is necessary. You are now safe from external attack.

Step 2: PATCH — Perform an Offline Firmware Update

From a trusted computer that is already connected to the router's Wi-Fi, open a web browser and go to its login page (usually `192.168.1.1`). You will not have internet, but you can still access the router's local admin page. Separately, using a different internet connection (like your phone's hotspot), go to the official DrayTek support website, download the latest firmware for your model to that computer, and then use the "System Maintenance" -> "Firmware Upgrade" option in the router's interface to install it.

Step 3: HARDEN — Disable Remote Access

After the patch is installed and the router has rebooted, log back in. Navigate to the administration settings and find the option for **"Remote Management"** or **"WAN Access."** **DISABLE IT**. This is a critical step to prevent exposure to future vulnerabilities.

Step 4: RECONNECT & VERIFY

Only after you have completed the first three steps should you plug the internet cable back into the router's WAN port. Your system is now patched and hardened.

Chapter 4: The Strategic Lesson — The Pervasive Insecurity of SOHO/SMB Edge Devices

This incident is another brutal reminder that the SOHO/SMB-grade routers and firewalls that form the backbone of small business networks are a massive, systemically insecure attack surface. As we also saw with the previous **DrayTek RCE (CVE-2022-32548)**, these devices are often deployed with insecure default settings and are rarely patched.

For users, the lesson is clear: you must be proactive in managing the security of your network's front door. For the industry, this is a call to action: vendors must enable auto-updating features by default and build their products to be secure out of the box.