CVE-2025-10547

Name of the Vulnerable Software and Affected Versions DrayOS routers versions prior to the fixed firmware.

Description A flaw exists in the HTTP CGI request arguments processing component of DrayOS routers, potentially allowing an attacker to execute code remotely (RCE) through memory corruption. This issue stems from an uninitialized variable within the WebUI. Successful exploitation via crafted HTTP or HTTPS requests may lead to memory corruption and system crashes. DrayTek routers are commonly used by small to medium-sized businesses and have been targeted in previous attacks. The vulnerability is exploitable through the WebUI, even with local network access.

Recommendations Update the firmware to the latest version to address the vulnerability.