Draytek critical firmware update / remote code execution vulnerability, alert notice

[Admetos]

Just a heads up, Draytek have released a critical firmware update for a number of their routers, it relates to remote code execution. I have only discovered this today as the firmware for my 2860 was only released yesterday.

If you own a Draytek router it's worth reading the following link.

DrayTek Router unauthenticated remote code execution vulnerability (CVE-2022-32548)

www.draytek.com

Routers affected

Affected Model	Fixed Firmware Version
Vigor3910	4.3.1.1
Vigor3220 Series	3.9.7.2
Vigor2962 Series	4.3.1.1
Vigor2952 / 2952P	3.9.7.2
Vigor2927 Series	4.4.0
Vigor2927 LTE Series	4.4.0
Vigor2926 Series	3.9.8.1
Vigor2926 LTE Series	3.9.8.1
Vigor2925 Series	3.9.2
Vigor2925 LTE Series	3.9.2
Vigor2915 Series	4.3.3.2
Vigor2912	3.8.15
Vigor2866 Series	4.4.0
Vigor2866 LTE Series	4.4.0
Vigor2865 Series	4.4.0
Vigor2865 LTE Series	4.4.0
Vigor2862 Series	3.9.8.1
Vigor2862 LTE Series	3.9.8.1
Vigor2860 Series	3.9.2
Vigor2860 LTE Series	3.9.2
Vigor2832	3.9.6.1
Vigor2766 Series	4.4.2
Vigor2765 Series	4.4.2
Vigor2762 Series	3.9.6.4
Vigor2760 Series	3.8.9.6
Vigor2620 LTE Series	3.9.8.1
VigorLTE 200n	3.9.8.1
Vigor2135 Series	4.4.2
Vigor2133 Series	3.9.6.4
Vigor1000B	4.3.1.1
Vigor166	4.2.4
Vigor165	4.2.4

 

[Admetos]

Thanks for the heads up. I'm pretty sure I'm on their mailing list, but haven't seen anything about this. It even affects SSL VPNs - nasty!

I'm on the Draytek mailing list also, yet never received anything either.

Yes the following is also included in the Draytek 2860 firmware.

Improve the OpenSSL security (CVE-2022-0778)