Researchers detected two threat groups exploiting command injection flaws in the wild

DrayTek router owners should update after security exploits were detected in the wild

UPDATED Two critical vulnerabilities in enterprise networking kit from DrayTek are under active attack, prompting an urgent call to apply a recently released firmware updates.

A pair of attack groups are each exploiting separate zero-day command injection flaws in DrayTek Vigor enterprise routers and switch devices to eavesdrop on traffic within corporate networks, among other exploits, according to a post on Qihoo 360’s Netlab blog.

One threat group apparently exploited a keyPath vulnerability to download and execute malicious script via plain text.

“The most interesting part is that the hacked devices don't perform the regular botnet stuff such as DDoS, mining or spamming,” Yiming Gong, director of the network security research lab at Qihoo 360, told The Daily Swig.

“Instead, they snoop on users’ traffic, which means they are probably aiming at something bigger.”

The second attack group targeted an rtick bug to create SSH and web session backdoors and create a system backdoor account.

The flaws affect Vigor models 2960, 300B, and 3900.


Qihoo 360 first detected the attacks on December 4, 2019. Four days later, Gong said that the researchers disclosed the attacks to a third-party vendor who said “they would relay the message”, but later discovered this had not been done.

A spokesperson for DrayTek confirmed that they never received this report.

“Obviously, reporting a problem to a vendor firstly and allowing sufficient time for a solution and users to upgrade is the best way to protect users,” the spokesperson told The Daily Swig, adding that they had an official channel for disclosure.

On December 25, Qihoo 360 disclosed the ongoing attacks (but not the vendor involved) in two Twitter posts, indicating that about 100,000 devices were vulnerable worldwide.

The security researchers also reported the issue to several national computer emergency response teams.

In a security advisory issued on February 10, DrayTek – a Taiwanese manufacturer of broadband equipment – said it eventually became aware of a “possible exploit” on January 30, and on February 6 released firmware version 1.5.1 to address the issue. 

Qihoo 360's Yiming Gong said the single CVE referenced by Draytek (CVE-2020-8515) relates to both flaws.

Advice to users

For users unable to patch, DrayTek’s advisory urges users of its affected Vigor models to “disable remote (admin) access” as a workaround to guard against potential attacks.

The researchers at Qihoo 360, meanwhile, recommend that users “check whether there is a tcpdump process, SSH backdoor account, web session backdoor, etc, on their systems” – all potential indicators of compromise.

This article was updated on April 8 with a clarification on the referenced CVE entry

RECOMMENDED Kr00k exploit tool allows pen testers to probe for WiFi security vulnerability