Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
Critical

Unauthenticated RCE in DrayTek Vigor Routers DrayOS HTTP CGI Request Processing

IdentifiersCVE-2025-10547CWE-457

CVE-2025-10547 is a remote code execution vulnerability affecting DrayTek Vigor routers running DrayOS. The flaw is in the HTTP CGI request arguments processing component, including the WebUI/LAN web administration interface and referenced EasyVPN-related exposure, and is caused by use of an uninitialized variable. A remote attacker can send crafted HTTP or HTTPS requests to the router’s web interface, triggering memory corruption. In some cases this can crash the device; in successful exploitation scenarios it can lead to arbitrary code execution on the appliance. The issue is reported as exploitable without authentication or user interaction.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can result in full compromise of the affected router. An unauthenticated remote attacker may achieve arbitrary code execution with root-level control of the appliance, enabling installation of backdoors, modification of configuration, interception or blocking of traffic, service disruption via crashes, persistence on the device, and use of the router as a pivot point for lateral movement into the internal network.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, disable EasyVPN and remote WebUI/remote administration exposure from the internet where not strictly required. Restrict access to the LAN web administration interface to trusted hosts and networks only, and reduce WAN exposure using ACLs and VLAN segmentation. Monitor router interfaces and logs for unusual HTTP/HTTPS access patterns, crashes, or signs of unauthorized configuration changes.

Remediation

Patch, then assume compromise.

Upgrade affected DrayTek Vigor routers to the latest patched firmware versions provided by DrayTek. Administrators should consult the vendor security advisory and product resources to identify the fixed firmware for each affected model and apply updates promptly across exposed devices.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

17 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

17 SOURCESView more in app
the hacker newsNews
Oct 6, 2025
⚡ Weekly Recap: Oracle 0-Day, BitLocker Bypass, VMScape, WhatsApp Worm & More

A critical vulnerability in DrayTek, details not specified in the content.

Read more
security online infoNews
Oct 6, 2025
RCE Flaw CVE-2025-10547 in DrayTek Vigor Routers Allows Unauthenticated Root Access

A remote code execution vulnerability in DrayTek Vigor Routers that allows unauthenticated attackers to gain root access.

Read more
cvefeed high severityNews
Oct 3, 2025
CVE-2025-10547 - CVE-2025-10547

A high-severity memory corruption vulnerability in DrayTek Vigor Routers running DrayOS, caused by an uninitialized variable in the HTTP CGI request arguments processing, allowing unauthenticated remote code execution (RCE).

Read more
risky biz rssNews
Oct 3, 2025
Risky Bulletin: Scam compound operators sentenced to death in China

An unauthenticated router hijack vulnerability in DrayTek Vigor routers’ web management interface, exploitable via specially crafted HTTP/HTTPS requests without valid credentials.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity12

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-10547
NVD
nvd.nist.gov/vuln/detail/CVE-2025-10547
MITRE CWE · CWE-457
cwe.mitre.org
draytek.com
draytek.com/about/security-advisory/use-of-uninitialized-variable-vulnerabilities
kb.cert.org
kb.cert.org/vuls/id/294418