FlagThis - #routers

DrayTek router owners across the globe experienced widespread connectivity issues recently as their devices became stuck in reboot loops. Internet service providers worldwide have alerted their customers to the problem, which began on Saturday night, affecting multiple DrayTek router models. The affected routers would intermittently lose connectivity and enter a boot loop, rendering them inoperable and disrupting internet services.

It is believed that the root cause of the reboot loops is attributed to either attacks exploiting unspecified vulnerabilities or a buggy software update pushed by DrayTek. Some experts suggest that the problem may be due to existing vulnerabilities that customers have neglected to patch. In addition, GreyNoise has observed in-the-wild activity against several known vulnerabilities in DrayTek devices. The vulnerabilities are CVE-2020-8515, CVE-2021-20123, and CVE-2021-20124.

To address the issue, users experiencing unexpected disconnections are advised to disconnect the WAN cable, log into the router’s Web UI, and check the system uptime. DrayTek recommends checking the firmware version and ensuring that the latest version is installed and if remote access is enabled, disable it unless absolutely necessary. Users can view router logs and debug logs to identify potential causes of the reboot.


References :

• BleepingComputer: Many Internet service providers (ISPs) worldwide are alerting customers of an outage that started Saturday night and triggered DrayTek router connectivity problems.
• V is for...: "Since 21:30 yesterday evening we have witnessed an unusually high volume of session drops, primarily impacting BT Wholesale and TalkTalk broadband sessions. The cause has been narrowed down to vulnerable firmware versions on Draytek routers." Shock horror. Draytek suck.
• BleepingComputer: DrayTek routers worldwide go into reboot loops over weekend
• The Register - Security: Hm, why are so many DrayTek routers stuck in a bootloop?
• The DefendOps Diaries: Understanding the DrayTek Router Reboot Loop Crisis
• bsky.app: This looks like some threat actor tried to exploit vulnerabilities in DrayTek Vigor routers.
• The GreyNoise Blog: Amid Reports of Worldwide Reboots, GreyNoise Observes In-the-Wild Activity Against DrayTek Routers
• GreyNoise: GreyNoise is bringing awareness to in-the-wild activity against multiple known vulnerabilities in DrayTek devices.
• www.cybersecuritydive.com: DrayTek routers face active exploitation of older vulnerabilities
• securityonline.info: Recent reports have highlighted widespread issues with DrayTek routers, including numerous reboots in the UK and Australia, and
• The Hacker News: CISA Flags Two Six-Year-Old Sitecore RCE Flaws; Active Exploits Hit Next.js and DrayTek Devices
• Risky Business Media: Ukraine’s state railway hit by a cyberattack, a ransomware attack reduces Malaysia’s largest airport to writing flight details on a whiteboard, buggy exploits put DrayTek routers in a reboot loop, and the NIST CVE backlog grows bigger despite efforts to address it.

Classification:

• HashTags: #DrayTek #Router #Cybersecurity
• Company: DrayTek
• Target: DrayTek router owners
• Product: Routers
• Feature: bootloop
• Type: HighRisk
• Severity: Medium

Zyxel is warning users of its legacy DSL Customer Premises Equipment (CPE) products about actively exploited zero-day vulnerabilities that will not be patched. These vulnerabilities, identified as CVE-2024-40891 and CVE-2025-0890, allow attackers to execute arbitrary commands due to a combination of command injection flaws in the Telnet service and the presence of default credentials. This combination enables unauthenticated attackers to gain full control over affected routers, potentially leading to data theft, further attacks, and disruption of internet connectivity.

GreyNoise has observed attackers actively exploiting these vulnerabilities, including by Mirai-based botnets. The affected models, including VMG1312-B10A, VMG3926-B10B, and SBG3500, are end-of-life but remain in use and even available for purchase. Zyxel recommends replacing these devices with newer models and disabling Telnet access as immediate action. The default credentials such as "supervisor:zyad1234" and "zyuser:1234" are particularly problematic, providing easy access for attackers.


References :

• securityonline.info: Zyxel Routers Under Attack: Default Credentials (CVE-2025-0890) and Code Injection (CVE-2024-40891), No Patch!
• Dataconomy: Taiwanese hardware maker Zyxel announced that it will not release a patch for two actively exploited vulnerabilities in multiple legacy DSL customer premises equipment (CPE) products.
• securityonline.info: Security researchers have identified critical vulnerabilities in Zyxel Customer Premises Equipment (CPE), leaving countless users vulnerable.
• Vulnerability-Lookup: Command injection and insecure default credentials vulnerabilities n certain legacy DSL CPE from Zyxel, has been published on Vulnerability-Lookup:
• vulnerability.circl.lu: A new bundle, Command injection and insecure default credentials vulnerabilities n certain legacy DSL CPE from Zyxel, has been published on Vulnerability-Lookup:
• BleepingComputer: Zyxel will not release a patch for two actively exploited vulnerabilities in multiple legacy DSL customer premises equipment (CPE) products.

Classification:

• HashTags: #Zyxel #Vulnerability #ZeroDay
• Company: Zyxel
• Target: Zyxel DSL CPE users
• Product: DSL CPE
• Feature: Vulnerability
• Malware: CVE-2024-40890
• Type: Vulnerability
• Severity: Disaster