Action Required: Update your firmware immediately to version 3.9.6.3 or later
DrayTek have become aware of a possible exploit of the Vigor 3910 / 2962 related to the WebUI if remote management is enabled without an ACL in place. On 8th July 2021 we released an updated firmware to address this issue.
Necessary Action: Users of affected models should upgrade to 3.9.6.3 firmware or later as soon as possible.
The exploit could allow an attacker to discover admin and VPN credentials. As an additional precaution, we recommend that router admin passwords and any VPN passwords & PSKs are updated. We’re not aware of any published PoC (proof-of-concepts) relating to this vulnerability but are recommending the post upgrade steps to update credentials as a prudent action. After upgrading, do check that the web interface now shows the new firmware version. Always back up your config before doing an upgrade.
If you discover anything anomalous on your device, please contact UK support immediately (if you are in the UK/Ireland).
Pre-upgrade Mitigation: You should upgrade firmware as soon as possible however if it is impossible to do this immediately, disable remote access to your device or use an ACL for remote access, then upgrade as soon as possible.
Firmware downloads are available from here (For UK/IE Region only).
Best practices
Regardless of this specific issue, targeting systems can be made harder by following some good security practices such as:
Update Mailing List (UK/Ireland)
UK/Ireland users should subscribe to our mailing-list in order to receive timely notifications of firmware or critical updates like this and as a general rule of best practice, always keep all of your products firmware up to date and check for updates.
Disclaimer : Please check this web page again for any new/updated information. You are advised to always keep your product's firmware or software up-to-date and keep in touch with your vendors to be advised of any new vulnerabilities (for example by subscribing to mailing lists). The information is this web page is provided in good faith based on the the information available to us at the current time, following an appropriate assessment but without acceptance of liability in the case of new, developing or existing threats or unlawful activity against your system. Any suggestions given above are provided as general information but should not be considered a thorough or specific assessment of your own individual security risks and you should take formal advice from a security expert to assess your specific security needs. As with any advisory, the suggested advice forms part of your own security planning and protocols.
Please note that mail alerts on this issue will come from our domain "drayteknews.co.uk" not our web domain (draytek.co.uk). Both of the domains are legitimate and belong to us (DrayTek) but in line with anti-phishing measures, you're quite right to check.