CVE-2022-32548 Detection: Critical RCE Vulnerability Affects DrayTek’s Flagship Models


Researchers revealed a critical security hole in 29 models of DrayTek Vigor routers, totaling more than 700,000 devices currently in use. DrayTek Vigor routers gained popularity during the worldwide shift to home offices during the pandemic and are mostly used by employees of small and medium-sized businesses in the UK, Netherlands, Vietnam, Taiwan, and Australia.

The vulnerability is tracked as CVE-2022-32548 and allows for remote code execution (RCE), putting at risk the entire compromised network. The flaw is rated with a CVSS score of 10.0.

The Taiwanese SOHO manufacturer confirmed that the criminal hackers succeeded with the exploit without user interaction; the only prerequisite is for the device to be internet-facing.

Detect CVE-2022-32548

The increasing number and severity of exploits are creating an expanded attack surface, putting at risk more users each day. SOC Prime’s team of Detection Engineers timely releases Sigma-enabled content for the latest threats to help SOC professionals stay up-to-date on emerging threats. One of the recently published Sigma rules enables to identify of potential CVE-2022-32548 exploitation attempts:

Possible DrayTek Vigor Routers RCE exploitation attempt [CVE-2022-32548] (via proxy)

The rule is aligned with the MITRE ATT&CK® framework v.10, addressing the Initial Access tactic with Exploit Public-Facing Application (T1190) as the main technique, available for 10 SIEM, EDR & XDR platforms.

If you are new to the SOC Prime Platform – an industry-leading provider of Detection-as-Code content, browse through a vast collection of Sigma rules with relevant threat context, CTI and MITRE ATT&CK references, CVE descriptions, and get updates on threat hunting trends. No registration is required! Press the Explore Threat Context button to learn more. Register by clicking the Detect & Hunt button below and unlock unlimited access to the world’s first platform for collaborative cyber defense, threat hunting, and discovery that integrates with 26+ SIEM, EDR, and XDR platforms.

Detect & Hunt Explore Threat Context

CVE-2022-32548 Analysis

The Trellix Threat Labs research team alarms users that fall into the affected cluster of the exploitation impacts like the leak of sensitive data, compromised devices used as DDoS or crypto miner bots, enabled man-in-the-middle attacks, adversaries accessing the resources located on the LAN, lateral movement, and complete device takeover.

The chain of evidence suggests that the vulnerability can be triggered by facing a buffer overflow issue on the login page. At least 200,000 of the discovered routers were determined to be internet-facing, thus becoming a sitting duck for adversaries looking to exploit CVE-2022-32548. The remaining 500,000 can only be exploited via LAN.

The vendor has released patches for all the affected models.

In the avalanche of critical vulnerabilities, it is vital to stay current with the events pertaining to the cybersecurity industry. Follow the SOC Prime blog for the latest security news and updates regarding detection content releases. Looking for a trustworthy platform to distribute your detection content while promoting collaborative cyber defense? Join SOC Prime’s crowdsourcing program to share your Sigma and YARA rules with the community, automate threat investigation, and get feedback and vetting from a community of 28,000+ security professionals to boost your security operations.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts