DrayTek has released a patch for a serious flaw in its Vigor routers. The vulnerability, tracked as CVE-2025-10547, allows attackers to run code without logging in. The issue appears when specially crafted HTTP or HTTPS requests are sent to the router’s web interface. If exploited, it can cause memory corruption, device crashes, or in some cases, full remote code execution.
The company explained that routers are safer from internet-based attacks when remote web access and SSL VPN services are disabled. Using strong access control lists also helps. However, attackers inside the local network can still abuse the bug if the web interface is exposed. DrayTek credited security researcher Pierre-Yves Maes from ChapsVision for reporting the flaw in July. Firmware updates for 35 Vigor models were released on October 2, and the company urged users to update right away.
While DrayTek has not confirmed active attacks, history shows these routers are a common target. Last year, ransomware groups broke into hundreds of organizations through an unknown DrayTek flaw. Because of this track record, security experts warn that waiting to patch could be risky.
The bug is caused by how the router handles memory. Attackers can trick the device into freeing memory incorrectly, a technique known as “arbitrary free.” That mistake can crash the router. In skilled hands, it can also open the door to run malicious code. Since routers act as the main gate for network traffic, a takeover could give attackers full access to the network behind it.
The best defense is to update firmware as soon as possible. While preparing for updates, administrators should block remote access to the web interface, enforce strict access rules, and use VLANs to separate router management from general traffic. These steps limit risk but do not remove the flaw. Updating is the only full fix.
Small businesses and advanced home users rely heavily on Vigor routers, which is why this issue matters. Many of these networks lack dedicated IT teams, making them easier targets. If a router is compromised, attackers could spread ransomware or steal sensitive data. Even someone with access to the local Wi-Fi could trigger the bug if protections are weak.
CVE-2025-10547 should be treated as a top priority. Firmware updates are already available, and applying them now will protect networks from a possible large-scale attack. Those who delay risk leaving their systems open to a proven attack path.
Security teams also warn that router vulnerabilities tend to move quickly from disclosure to exploitation. Once technical details circulate, proof-of-concept exploits often appear in underground forums within days. That pattern makes edge devices like routers especially dangerous targets, because many sit unmonitored for long periods. Attackers actively scan the internet for exposed management interfaces, and unpatched DrayTek devices could be swept up in those scans.
Another concern is persistence. If attackers achieve remote code execution on a router, they can implant backdoors that survive reboots and even some configuration changes. That gives them long-term visibility into network traffic, including credentials, internal services, and cloud connections. In small business environments, this kind of access can go unnoticed for months.
Experts also stress that this vulnerability highlights a broader issue with network hygiene. Many organizations still expose router management interfaces for convenience or remote troubleshooting. CVE-2025-10547 shows why that practice is risky. Even trusted internal networks can be compromised through phishing, infected laptops, or rogue devices, giving attackers a foothold to exploit router flaws.
For DrayTek users, the message is straightforward. Patch immediately, review exposure, and assume routers are high-value assets that deserve the same attention as servers and endpoints. With attackers increasingly targeting infrastructure devices, delayed updates are no longer just a maintenance issue. They are a direct security liability.
