The unauthenticated Evil Wizard casts the remote control Spells on DrayTek Vigor Routers

In the ever-shifting realm of network security, a new malicious wizard has emerged — and this time, it targets the heart of small and medium-sized business networks: their routers. A critical flaw, tracked as CVE-2025-10547, affects multiple DrayTek Vigor models. By sending specially crafted HTTP or HTTPS requests, an unauthenticated attacker,

the so-called Evil Wizard, can corrupt memory and remotely seize full control of the device.

The weakness lies in an uninitialized stack value, a subtle programming oversight that enables arbitrary free() exploitation, transforming an ordinary router into a remote-controlled familiar under the wizard’s command. As routers sit at the frontline of SMB and enterprise infrastructures, this vulnerability represents a direct threat to the confidentiality and integrity of connected networks.

Phase 1: The Summoning Circle – The Flaw Awakens

The Evil Wizard’s incantation begins within DrayOS, the proprietary firmware powering DrayTek’s Vigor router line. Inside its Web User Interface (WebUI) and EasyVPN modules lies an uninitialized stack variable in a script that handles HTTP requests.

When an attacker sends crafted HTTP or HTTPS packets, the device attempts to free memory that was never initialized. This creates memory corruption, which can crash the router or, under specific conditions, allow remote code execution (RCE). By manipulating this behavior, the attacker hijacks execution flow, injecting their own code directly into the firmware runtime.

In practice, a single malformed packet is enough to gain total control. Once compromised, the attacker can install backdoors, alter routing tables, change VPN or firewall configurations, and use the router as a pivot point to access internal assets.

Phase 2: Bewitched Victims – Who Falls Under the Spell

The victims of this conjuration are the administrators and network operators who rely on Vigor routers to connect remote offices, manage VPNs, and secure traffic.

The affected population includes:

• SMBs and prosumers operating hybrid or multi-branch networks.

• Telecom providers and ISPs using DrayTek for local connectivity.

• Remote employees connected through EasyVPN.

• IT administrators and managed service providers (MSPs) responsible for multiple customer sites.

When WebUI or EasyVPN interfaces are reachable from the WAN, or the LAN WebUI is exposed to local threats, attackers can exploit the flaw remotely. A successful attack enables takeover, traffic interception, and lateral movement inside the network, while potentially exposing user credentials passing through the device.

Even well-segmented networks remain at risk if unpatched routers are left accessible by compromised internal systems or malicious insiders.

Affected DrayTek Vigor models and fixed firmware versions:

• Vigor1000B, Vigor2962, Vigor3910/3912 → Update to 4.4.3.6 or later (some models require 4.4.5.1).

• Vigor2135; Vigor2763 / 2765 / 2766; Vigor2865 / 2866 Series (incl. LTE & 5G); Vigor2927 Series (incl. LTE & 5G) → Update to 4.5.1 or later.

• Vigor2915 Series → Update to 4.4.6.1 or later.

• Vigor2862 / 2926 Series (incl. LTE) → Update to 3.9.9.12 or later.

• Vigor2952 / 2952P; Vigor3220 → Update to 3.9.8.8 or later.

• Vigor2860 / 2925 Series (incl. LTE) → Update to 3.9.8.6 or later.

• Vigor2133 / 2762 / 2832 Series → Update to 3.9.9.4 or later.

• Vigor2620 Series → Update to 3.9.9.5 or later.

• VigorLTE 200n → Update to 3.9.9.3 or later.

Phase 3: The Spell – Breach Method and Execution Vector

The Evil Wizard’s attack begins with a crafted HTTP or HTTPS request directed at the WebUI or EasyVPN module of a vulnerable router.

1. Entry Vector: The attacker sends a specially crafted HTTP/HTTPS request to the target interface.

2. Trigger: The malformed input reaches a vulnerable routine that references an uninitialized stack value.

3. Corruption: The firmware executes a free() call on arbitrary memory, causing corruption.

4. Exploitation: The attacker redirects the execution flow to achieve RCE, spawning a root shell or implant.

5. Aftermath: With root privileges, the attacker can install persistent malware, alter configurations, intercept traffic, and pivot deeper into internal systems.

This exploit allows the attacker to steal credentials and intercept communications passing through the router, without ever needing authentication. The risk extends across dozens of models and firmware versions, from high-end business routers like the Vigor3910 to legacy models such as the Vigor2832 or Vigor2620, all running vulnerable DrayOS builds.

Phase 4: The Counterspell – Containment and Defense

Breaking the Evil Wizard’s spell requires rapid and disciplined response. DrayTek has released patched firmware for all affected Vigor models, addressing the uninitialized memory handling that led to the vulnerability.

To defend against exploitation, organizations should:

• Apply firmware updates immediately, using the versions listed in DrayTek’s advisory.

• Disable or restrict remote access to WebUI or EasyVPN through ACLs or VLAN segmentation.

• Monitor logs for anomalies such as unexpected HTTP traffic or router reboots.

• Isolate unpatched devices from sensitive networks.

• Harden router management policies, ensuring minimal privilege and segmentation between administrative and operational domains.

In addition, organizations should treat routers as tier-one assets, equivalent to servers or domain controllers. Once compromised, a router can serve as a command post for broader infiltration.

Phase 5: The Final Circle – Lessons from the Wizard’s Spellbook

This incident reveals several critical lessons for defenders.

1. Routers are the perimeter’s weakest link. Their compromise grants deep access to internal communications.

2. Memory safety remains fundamental. A single uninitialized variable can evolve into full remote code execution.

3. Visibility is prevention. Continuous monitoring of firmware versions, configurations, and network activity is key to minimizing exposure.

As routers increasingly integrate VPNs, IoT management, and AI-powered administration, firmware vulnerabilities like CVE-2025-10547 will continue to attract threat actors looking for scalable points of control.

CVE-2025-10547 serves as a stark reminder that even trusted, business-grade network hardware can fall to a single line of unsafe code. The unauthenticated attacker — the Evil Wizard — doesn’t need stolen credentials or privileged access, only a reachable interface and a crafted packet.

Security depends not only on patching but on architecture awareness — understanding that every router, every gateway, and every firmware component is part of the organization’s attack surface.

By combining timely updates, strict access control, and persistent monitoring, defenders can break the spell before it spreads across the network.

Bleeping Computer

https://www-bleepingcomputer-com.cdn.ampproject.org/c/s/www.bleepingcomputer.com/news/security/draytek-warns-of-remote-code-execution-bug-in-vigor-routers/amp/