Post by Tweedhttps://www.theregister.com/2024/10/02/draytek_routers_bugs/
Fourteen newly found bugs in DrayTek Vigor routers including one critical remote-code-execution flaw that received a perfect 10 out of 10 CVSS severity rating could be abused by crooks looking to seize control of the equipment to then steal sensitive data, deploy ransomware, and launch denial-of-service attacks.
It's estimated 785,000 of these devices are operating Wi-Fi networks.
Most of the vulnerabilities are in the routers' web-based user interface, so if a miscreant can reach that service on the local network or over the public internet, they can exploit the holes to take control of the box, and then launch other attacks on connected machines.
Despite Draytek's warning that these Vigor routers' control panels should only be accessible from a local network, Forescout Research's Vedere Labs found [PDF] more than 704,000 DrayTek boxes exposing their web interface to the public internet, ready and ripe for exploitation. Most of these (75 percent) are used by businesses, we're told.
Well, yes, anybody who enables a router's remote admin is a dickhead.
(This is the sort of thing which will give "IOT" are really bad name;
you should not have embedded boxes on an open port).
The right way is a VPN to the internal LAN.
You are still relying on the router's VPN functionality not having
some back door, but that side tends to be better tested.
Interestingly the 2955 or 2960 are not on that list. Both are
"obsolete" but the 2955 is especially old.