The vulnerability identified as CVE-2025-10547 affects DrayTek Vigor routers running DrayOS. It is an unauthenticated remote code execution flaw exploitable through crafted HTTP or HTTPS requests sent to the router’s web user interface. Successful exploitation can lead to memory corruption and system crashes, and under certain conditions, allow attackers to execute arbitrary code remotely. The vulnerability does not require authentication, significantly increasing its risk profile. DrayTek routers are commonly deployed by prosumers and small to medium-sized businesses, which often lack extensive security controls, increasing exposure. Although remote WAN exploitation is mitigated if remote WebUI and SSL VPN services are disabled or ACLs are properly configured, attackers with local network access can still exploit the flaw. Some router models support LAN-side VLANs and ACLs to restrict local WebUI access, which can help reduce risk. DrayTek has released firmware patches for 35 affected Vigor models and credited researcher Pierre-Yves Maes for reporting the issue. No known active exploitation has been reported, but the vulnerability’s characteristics and the history of DrayTek routers being targeted by ransomware groups underscore the threat’s seriousness. The vulnerability’s exploitation could disrupt business operations through device crashes or enable attackers to gain persistent control over network infrastructure, facilitating further attacks or data breaches.

For European organizations, the impact of this vulnerability could be significant, especially for SMBs and prosumers relying on DrayTek Vigor routers for network connectivity. Exploitation could lead to denial of service via router crashes, disrupting internet access and business operations. More critically, arbitrary code execution could allow attackers to implant malware, intercept or manipulate network traffic, and pivot into internal networks, potentially leading to data breaches or ransomware infections. Given DrayTek’s popularity in Europe, especially among SMBs that may lack robust network segmentation and monitoring, the risk of lateral movement and persistent compromise is elevated. Disruption of critical business functions or exposure of sensitive data could result in financial losses, reputational damage, and regulatory penalties under GDPR. The vulnerability also poses risks to managed service providers and enterprises that use these routers in branch offices or remote sites. Although no exploitation in the wild is reported yet, the ease of exploitation and unauthenticated nature make it a prime target for opportunistic attackers and automated scanning campaigns.

European organizations should immediately identify all DrayTek Vigor routers in their environment and apply the official firmware updates released by DrayTek to remediate CVE-2025-10547. If immediate patching is not feasible, organizations should disable remote access to the router’s WebUI and SSL VPN services to prevent WAN-based exploitation. Implement strict Access Control Lists (ACLs) to restrict access to the WebUI only to trusted IP addresses. For local network protection, segment the network using VLANs to isolate management interfaces and restrict access to the router’s WebUI. Monitor network traffic for unusual HTTP/S requests targeting router management interfaces, and deploy intrusion detection/prevention systems capable of detecting exploitation attempts. Regularly audit router configurations to ensure security best practices are enforced. Educate IT staff about the vulnerability and the importance of timely patching. Additionally, consider deploying network-level protections such as firewall rules to limit access to router management ports and implement multi-factor authentication where supported. Finally, maintain up-to-date asset inventories to quickly identify vulnerable devices in the future.