In April 2022, we became aware of a possible exploit affecting some of our products that was identified during testing and reported to us*. We are not aware of any exploits of this in the wild and started to release firmware updates in May 2022.
Our standard best practice recommendation is to always keep firmware up to date, but we recommend that you check that affected units are running at least the firmware version in the table below. To protect users until all firmware versions were available and to give time for upgrades no other information about the issue was released originally. The vulnerability has now been announced under CVE-2022-32548 and is related to a possible exploit of the router's Web UI login page.
DrayTek new firmwares with security updates for this vulnerability are shown as follows.
|Affected Model||Fixed Firmware Version|
|Vigor2952 / 2952P||18.104.22.168|
|Vigor2927 LTE Series||4.4.0|
|Vigor2926 LTE Series||22.214.171.124|
|Vigor2925 LTE Series||3.9.2|
|Vigor2866 LTE Series||4.4.0|
|Vigor2865 LTE Series||4.4.0|
|Vigor2862 LTE Series||126.96.36.199|
|Vigor2860 LTE Series||3.9.2|
|Vigor2620 LTE Series||188.8.131.52|
*Thank you for Trellix Threat Labs Vulnerability Research team for their testing and prompt reporting.
Should you have any security-related inquiry regarding one of our products, please contact DrayTek Technical Support.