CVE-2025-44643 identifies a security vulnerability in certain Draytek networking products, specifically the AP903 version 1.4.18, AP912C version 1.4.9, and AP918R version 1.4.9. The vulnerability arises from insecure permissions related to the FreeRadius-related clients.conf configuration file. In this file, a 'secret' field is set with a hardcoded weak password. FreeRadius is a widely used open-source RADIUS server that handles authentication, authorization, and accounting for network access. The presence of a hardcoded weak password in the clients.conf file means that attackers with access to the device or network could potentially authenticate against the RADIUS server using this known secret, bypassing normal authentication controls. This could allow unauthorized users to gain access to network resources or manipulate authentication processes. The vulnerability is rooted in insecure configuration management and poor credential handling practices, which undermine the security of the affected devices. Although no known exploits are currently reported in the wild, the weakness presents a significant risk if attackers gain network access or can interact with the RADIUS service. The lack of a CVSS score indicates that the vulnerability has not yet been fully assessed for severity, but the technical details suggest a critical security flaw due to the potential for unauthorized network access. No patches or mitigations are currently linked, indicating that affected organizations must proactively address this issue through configuration changes or firmware updates once available.

For European organizations, this vulnerability poses a substantial risk, especially for those relying on Draytek AP903, AP912C, and AP918R access points in their network infrastructure. Exploitation could lead to unauthorized network access, allowing attackers to intercept, manipulate, or disrupt network traffic. This could compromise confidentiality by exposing sensitive data, integrity by allowing unauthorized changes to network authentication, and availability by potentially disrupting network services. Organizations in sectors with strict data protection requirements, such as finance, healthcare, and critical infrastructure, could face regulatory and reputational damage if this vulnerability is exploited. Additionally, since FreeRadius is often used in enterprise and ISP environments, the impact could extend to service providers and their customers. The absence of known exploits in the wild provides a window for mitigation, but the hardcoded weak password significantly lowers the barrier for attackers who gain network proximity or access to the device management interfaces.

European organizations should immediately audit their network devices to identify the presence of the affected Draytek models and firmware versions. Until official patches are released, administrators should manually inspect the clients.conf configuration file on these devices to identify and change the hardcoded secret to a strong, unique password. Network segmentation should be enforced to limit access to management interfaces and RADIUS services only to trusted administrators and systems. Implementing network access controls such as VLANs and firewall rules can reduce exposure. Monitoring network logs for unusual authentication attempts or access patterns related to RADIUS services is critical for early detection. Organizations should also engage with Draytek support to obtain firmware updates or official guidance. Finally, consider replacing affected devices with models that do not have this vulnerability if remediation is not feasible in the short term.