Skip to main content
close search
site logo
Dive Brief

DrayTek routers face active exploitation of older vulnerabilities

The company’s devices are also randomly rebooting in connection with additional CVEs disclosed earlier this month.

Published March 26, 2025
David Jones's headshot
Reporter
New generation internet technologies and security bug.
Devrimb

Dive Brief:

  • Researchers warn that three older vulnerabilities in DrayTek routers have been actively exploited in recent weeks, which coincides with widespread reports of devices automatically rebooting in recent days, according to GreyNoise Intelligence.  
  • Researchers said exploitation activity has been observed against three vulnerabilities, tracked as CVE-2020-8515, CVE-2021-20123 and CVE-2021-20124
  • GreyNoise researchers said they cannot directly link the exploitation to the reboots. However, in a post on X Wednesday morning, DrayTek said the reboots appear to be linked to vulnerabilities disclosed in early March.

Dive Insight:

Exploitation of the older vulnerabilities has been observed for at least the last 45 days, according to GreyNoise. That specific activity includes the following: 

A remote code execution vulnerability, tracked as CVE-2020-8515, has been exploited in multiple DrayTek router models. Researchers observed activity from 82 IPs over the past 30 days, with Indonesia, Hong Kong and the U.S. as the top destinations of the attack traffic.

A directory traversal vulnerability in DrayTek Vigor Connect, tracked as CVE-2021-20123, has 23 IPs seen in the last 30 days. Top destinations include Lithuania, the U.S. and Singapore.

A second directory traversal vulnerability in DrayTek Vigor Connect, tracked as CVE-2021-20124, has 22 IPs observed in the past 30 days. Lithuania, the U.S. and Singapore are the top destinations. 

DrayTek said the reboots appear to be linked to a vulnerability disclosed earlier this month, though the company did not specify which one. Researchers from Faraday Security disclosed several vulnerabilities in a March 11 blog post. The report shows multiple security concerns, including weak authentication mechanisms, insecure kernel module updates and persistent opportunities for backdoors. 

DrayTek issued an advisory on March 4, urging customers to upgrade their firmware in connection with buffer overflow vulnerabilities, tracked as CVE-2024-51138 and CVE-2024-51139 and thanked Faraday for reporting the issues.   

The company said multiple buffer overflow vulnerabilities were identified in April 2024, and firmware fixes were released between August and October 2024. The company issued advisories earlier this month to encourage customers to check their versions.

Filed Under: Vulnerability

Editors' picks

Company Announcements

View all | Post a press release
Operant Networks Launches Embedded Zero Trust Security Software for PLCs
From Operant Networks
March 19, 2025
Fathom5’s ARIA Continues Revolutionizing Cyber-Resilient Machinery Control Systems
From Fathom5
March 19, 2025
Lafayette Federal Credit Union Data Breach Investigation
From Migliaccio & Rathod LLP
March 24, 2025
360 Privacy Secures $36 Million Growth Investment from FTV Capital
From 360 Privacy
March 11, 2025
Editors' picks
Latest in Vulnerability
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.