Networking hardware maker DrayTek released an advisory to warn about a security vulnerability in several Vigor router models that could allow remote, unauthenticated actors to execute perform arbitrary code.
The flaw, tracked identified as CVE-2025-10547, was reported to the vendor on July 22 by ChapsVision security researcher Pierre-Yves Maes.
"The vulnerability can be triggered when unauthenticated remote attackers send crafted HTTP or HTTPS requests to the device's Web User Interface (WebUI)," reads DrayTek's security advisory.
"Successful exploitation may cause memory corruption and a system crash, with the potential in certain circumstances could allow remote code execution."
DrayTek noted that WAN exposure can be reduced by disabling remote WebUI/SSL VPN access or restricting it with ACLs/VLANs. However, the WebUI remains reachable over LAN, exposed to local attackers.
Maes told BleepingComputer that the root cause for CVE-2025-10547 is an uninitialized stack value that can be leveraged to cause the free() function to operate on arbitrary memory locations, also known as arbitrary free(), to achieve remote code execution (RCE).
The researcher successfully tested his findings by creating an exploit and running it on DrayTek devices.
DrayTek's security bulletin does not mention ongoing exploitation, but it is recommended to mitigate the risk.
Below are the models impacted by CVE-2025-10547, and the recommended firmware version upgrade target to mitigate the flaw:
Vigor1000B, Vigor2962, Vigor3910/3912 → 4.4.3.6 or later (some models 4.4.5.1)
... continue reading