【Vulnerability Alert】A high-risk security vulnerability (CVE-2025-10547) has been identified in DrayTek DrayOS. Please verify and apply the necessary patches as soon as possible.
Source: Ministry of education information & communication security contingency platform
"" "" ""
| Publication Number | TACERT-ANA-2025101411101818 | Publication Time | 2025/10/14 11:02 |
| Incident Type | ANA-Vulnerability Alert | Discovery Time | 2025/10/14 11:02 |
| Impact Level | Medium | ||
| [Subject] 【Vulnerability Alert】A high-risk security vulnerability (CVE-2025-10547) has been identified in DrayTek DrayOS. Please verify and apply the necessary patches as soon as possible. |
|||
| [Content] Forwarded from the National Institute of Cyber Security NISAC-200-202510-00000003 Researchers have discovered a Use of Uninitialized Variable vulnerability (CVE-2025-10547) in DrayTek DrayOS. An unauthenticated remote attacker can send specially crafted HTTP or HTTPS requests to the device’s web interface, causing memory corruption and system crashes, and under certain conditions may achieve arbitrary code execution. Please verify and apply patches as soon as possible. Information Sharing Level: WHITE (Information content can be publicly disclosed) |
|||
|
[Affected Platform] ● Vigor2962 – versions earlier than 4.4.3.6 or earlier than 4.4.5.1 (exclusive) ● Vigor3910 – versions earlier than 4.4.3.6 or earlier than 4.4.5.1 (exclusive) ● Vigor3912 – versions earlier than 4.4.3.6 or earlier than 4.4.5.1 (exclusive) ● Vigor2135 – versions earlier than 4.5.1 (exclusive) ● Vigor2763 – versions earlier than 4.5.1 (exclusive) ● Vigor2765 – versions earlier than 4.5.1 (exclusive) ● Vigor2766 – versions earlier than 4.5.1 (exclusive) ● Vigor2865 Series – versions earlier than 4.5.1 (exclusive) ● Vigor2865 LTE Series – versions earlier than 4.5.1 (exclusive) ● Vigor2865L-5G Series – versions earlier than 4.5.1 (exclusive) ● Vigor2866 Series – versions earlier than 4.5.1 (exclusive) ● Vigor2866 LTE Series – versions earlier than 4.5.1 (exclusive) ● Vigor2927 Series – versions earlier than 4.5.1 (exclusive) ● Vigor2927 LTE Series – versions earlier than 4.5.1 (exclusive) ● Vigor2927L-5G Series – versions earlier than 4.5.1 (exclusive) ● Vigor2915 Series – versions earlier than 4.4.6.1 (exclusive) ● Vigor2862 Series – versions earlier than 3.9.9.12 (exclusive) ● Vigor2862 LTE Series – versions earlier than 3.9.9.12 (exclusive) ● Vigor2926 Series – versions earlier than 3.9.9.12 (exclusive) ● Vigor2952 – versions earlier than 3.9.8.8 (exclusive) ● Vigor2952P – versions earlier than 3.9.8.8 (exclusive) ● Vigor3220 – versions earlier than 3.9.8.8 (exclusive) ● Vigor2860 Series – versions earlier than 3.9.8.6 (exclusive) ● Vigor2860 LTE Series – versions earlier than 3.9.8.6 (exclusive) ● Vigor2925 Series – versions earlier than 3.9.8.6 (exclusive) ● Vigor2925 LTE Series – versions earlier than 3.9.8.6 (exclusive) ● Vigor2133 Series – versions earlier than 3.9.9.4 (exclusive) ● Vigor2762 Series – versions earlier than 3.9.9.4 (exclusive) ● Vigor2832 Series – versions earlier than 3.9.9.4 (exclusive) ● Vigor2620 Series – versions earlier than 3.9.9.5 (exclusive) ● VigorLTE 200n – versions earlier than 3.9.9.5 (exclusive) |
|||
|
[Recommended Actions] https://www.draytek.com/about/security-advisory/use-of-uninitialized-variable-vulnerabilities/ https://www.draytek.com/zh/support/latest-firmwares/ |
|||
|
[Reference] 2. https://www.draytek.com/about/security-advisory/use-of-uninitialized-variable-vulnerabilities/ 3. https://www.draytek.com/zh/support/latest-firmwares/ |
|||
If you have questions or suggestions regarding this notification, please feel free to contact us.
Ministry of education information & communication security contingency platform
Website: https://info.cert.tanet.edu.tw/
Phone: +886-7-5250211
Internet Phone: 98400000
E-Mail: service@cert.tanet.edu.tw