I've been rather busy over the last few days so am late to the conversation ... but tonight I found a 2760 running 3.5.x which had been compromised with no remote access services enabled - am I missing something - my understanding is that only devices with some sort of remote access have been compromised, but this one definitely did not have any remote access enabled (I had to access it via a local device)?

MTIA etc ...

Thats worrying but not too different to what we have heard already. Did you have SSL VPN active?

The Vigor 2760/62 shares the same codebase so would need updating - SSL being actually in use is not necessary.

SSL VPN not enabled.

Irksome wrote: SSL VPN not enabled.

Does it have a specific checkbox to disable?

No remote access to that device ... however I suspect somewhere in my portfolio of devices there will be similar device unpatched. I shall consult my records and gain access and report back.