The firmware (version 3.9.6.3) has corrected a WebGUI security issue that could allow router admin and VPN credentials to be discovered if remote management was enabled without an ACL. We strongly recommend you follow the steps below to review the security settings in your Vigor router.
Necessary Action:
We recommend users of affected models should upgrade firmware to version 3.9.6.3 or later and change the passwords for admin login and password/PSKs for VPN profiles after upgrading the firmware.
| Model |
Fixed Firmware Version |
Download Link |
| Vigor2962 |
3.9.6.3 |
|
| Vigor3910 |
3.9.6.3 |
|
- Use a strong password for admin login and all VPN profiles. Change the passwords
periodically.
- Disable any unnecessary services and VPN profiles, like OpenVPN, PPTP VPN, or remote
management (Web, SNMP, telnet, SSH, FTP) from WAN. If any service is enabled, please
enable ACL, 2FA, or specify the VPN peer IP to restrict the access.
- Enable Brute Force Protection in Management setup page.
- Record Syslog and set up VPN/login Mail Alerts and review the logs periodically. While
seeing the abnormal attack events, we can enable DoS Defense and block those IPs by using the Blacklist.
Contact Technical Support
Should you have any security-related inquiry regarding one of our products, please contact DrayTek Technical Support.