CVE-2023-33778
📋 TL;DR
Draytek Vigor routers, access points, switches, and Myvigor firmware use hardcoded encryption keys, allowing attackers to bind affected devices to their own accounts. This enables unauthorized creation of WCF and DrayDDNS licenses and synchronization from the website. All users with affected firmware versions are vulnerable.
💻 Affected Systems
- Draytek Vigor Routers
- Draytek Vigor Access Points
- Draytek Vigor Switches
- Myvigor firmware
📦 What is this software?
Myvigor by Draytek
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full administrative control over affected devices, create unauthorized licenses, redirect network traffic, and potentially compromise entire networks.
Likely Case
Attackers bind devices to their accounts, create fraudulent licenses, and potentially intercept or manipulate network traffic.
If Mitigated
With proper patching, the vulnerability is eliminated; with network segmentation, impact is limited to isolated devices.
🎯 Exploit Status
Exploitation requires network access but no authentication; public proof-of-concept exists.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Routers: 3.9.6/4.2.4 or later, Access Points: v1.4.0 or later, Switches: 2.6.7 or later, Myvigor: 2.3.2 or later
Vendor Advisory: https://www.draytek.com/support/security-advisory/
Restart Required: Yes
Instructions:
1. Download the latest firmware from Draytek's official website. 2. Log into the device's admin interface. 3. Navigate to the firmware update section. 4. Upload and apply the new firmware. 5. Reboot the device as prompted.
🔧 Temporary Workarounds
Network Segmentation
allIsolate affected devices from the internet and critical internal networks to limit attack surface.
Disable Remote Management
allTurn off remote management features if not required to prevent external exploitation.
🧯 If You Can't Patch
- Replace affected devices with patched or non-vulnerable models.
- Implement strict network access controls and monitor for suspicious activity.
🔍 How to Verify
Check if Vulnerable:
Check the firmware version in the device's admin interface under System Status or Maintenance.Check Version:
Log into the device's web interface and navigate to System Status or similar section.Verify Fix Applied:
Confirm the firmware version matches or exceeds the patched versions listed in the fix.📡 Detection & Monitoring
Log Indicators:
- Unexpected account binding events
- Unauthorized license creation in logs
- Failed login attempts from unknown IPs
Network Indicators:
- Unusual outbound connections to Draytek servers
- Suspicious DNS queries for DrayDDNS
SIEM Query:
source="draytek_device" AND (event="account_bind" OR event="license_create")