DrayTek Routers Vulnerability Exploited in the Wild – Possibly Links to Reboot Loop

Multiple internet service providers worldwide are reporting widespread disruptions as DrayTek routers enter continuous reboot loops, affecting businesses and consumers alike. 

Security intelligence firm GreyNoise has identified the active exploitation of several DrayTek vulnerabilities, which could be linked to these mysterious reboots that began around March 22, 2025.

Users in the UK, Australia, Vietnam, Germany, and other countries have reported DrayTek routers across multiple model series intermittently losing connectivity and entering boot loops. 

ISPs, including Gamma, Zen Internet, ICUK, and Andrews & Arnold in the United Kingdom, confirmed these disruptions, attributing them to attacks targeting unspecified vulnerabilities.

“The cause has been narrowed down to vulnerable firmware versions on DrayTek routers. If you are seeing broadband circuits exhibiting repeat short sessions, please upgrade the firmware to the latest version,” ICUK stated.

Observed Vulnerability Exploitation

GreyNoise has documented in-the-wild exploitation attempts against three known DrayTek vulnerabilities over the past 45 days:

CVE-2020-8515: A remote code execution vulnerability affecting multiple DrayTek router models.

Stop attacks before they start, powered by a 97% precise neural Network to Detect Cyber Attacks

While no activity has been observed in the past 24 hours, 82 unique IP addresses were recorded exploiting this vulnerability in the past 30 days.

CVE-2021-20123 and CVE-2021-20124: Directory traversal vulnerabilities in DrayTek VigorConnect. 

Both vulnerabilities have shown active exploitation within the last 24 hours, with 23 and 22 unique attacking IP addresses recorded, respectively.

The most targeted countries include Lithuania, the United States, and Singapore, according to GreyNoise data.

The impact has been substantial across multiple sectors. In Thu Duc, Ho Chi Minh City, an Internet café owner reported that since March 23, “the network has been intermittently unstable despite multiple device restarts.”

Another user in Ho Chi Minh City who uses a DrayTek Vigor 2925 noted that their “IP camera repeatedly lost connection,” and their router management page showed “uptime reset to zero every five minutes.”

Mitigations Recommended

DrayTek has published guidance for affected users, recommending immediate action: “The solution is to disconnect the WAN and then try to upgrade to the latest firmware.” Additional recommendations include:

• Disabling Remote Management and SSL VPN Service.
• Implementing access control lists (ACL).
• Enabling two-factor authentication where available.
• Monitoring for system alerts and notifications.

This incident follows Forescout Technologies’ October 2024 findings that identified 14 previously unknown vulnerabilities in DrayTek routers, including one with the highest possible severity rating of 10.

Security researchers continue to monitor the situation, with GreyNoise tracking exploit attempts in real-time. Network administrators using DrayTek equipment are strongly advised to implement the recommended mitigations immediately.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

The post DrayTek Routers Vulnerability Exploited in the Wild – Possibly Links to Reboot Loop appeared first on Cyber Security News.