CVE-2023-33778
published 2023-06-01CVE-2023-33778: Draytek Vigor Routers firmware versions below 3.9.6/4.2.4, Access Points firmware versions below v1.4.0, Switches firmware versions below 2.6.7, and Myvigor…
PriorityP355critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.60%
44.2th percentile
Draytek Vigor Routers firmware versions below 3.9.6/4.2.4, Access Points firmware versions below v1.4.0, Switches firmware versions below 2.6.7, and Myvigor firmware versions below 2.3.2 were discovered to use hardcoded encryption keys which allows attackers to bind any affected device to their own account. Attackers are then able to create WCF and DrayDDNS licenses and synchronize them from the website.
Affected
120 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| draytek | myvigor | < 2.3.2 | 2.3.2 |
| draytek | vigor1000b_firmware | < 3.9.6 | 3.9.6 |
| draytek | vigor1000b_firmware | >= 4.0.0 < 4.2.4 | 4.2.4 |
| draytek | vigor130_firmware | < 3.9.6 | 3.9.6 |
| draytek | vigor130_firmware | >= 4.0.0 < 4.2.4 | 4.2.4 |
| draytek | vigor165_firmware | < 3.9.6 | 3.9.6 |
| draytek | vigor165_firmware | >= 4.0.0 < 4.2.4 | 4.2.4 |
| draytek | vigor166_firmware | < 3.9.6 | 3.9.6 |
| draytek | vigor166_firmware | >= 4.0.0 < 4.2.4 | 4.2.4 |
| draytek | vigor167_firmware | < 3.9.6 | 3.9.6 |
| draytek | vigor167_firmware | >= 4.0.0 < 4.2.4 | 4.2.4 |
| draytek | vigor2135ac_firmware | < 3.9.6 | 3.9.6 |
| draytek | vigor2135ac_firmware | >= 4.0.0 < 4.2.4 | 4.2.4 |
| draytek | vigor2135ax_firmware | < 3.9.6 | 3.9.6 |
| draytek | vigor2135ax_firmware | >= 4.0.0 < 4.2.4 | 4.2.4 |
| draytek | vigor2135fvac_firmware | < 3.9.6 | 3.9.6 |
| draytek | vigor2135fvac_firmware | >= 4.0.0 < 4.2.4 | 4.2.4 |
| draytek | vigor2135vac_firmware | < 3.9.6 | 3.9.6 |
| draytek | vigor2135vac_firmware | >= 4.0.0 < 4.2.4 | 4.2.4 |
| draytek | vigor2620l_firmware | < 3.9.6 | 3.9.6 |
| draytek | vigor2620l_firmware | >= 4.0.0 < 4.2.4 | 4.2.4 |
| draytek | vigor2620ln_firmware | < 3.9.6 | 3.9.6 |
| draytek | vigor2620ln_firmware | >= 4.0.0 < 4.2.4 | 4.2.4 |
| draytek | vigor2763ac_firmware | < 3.9.6 | 3.9.6 |
| draytek | vigor2763ac_firmware | >= 4.0.0 < 4.2.4 | 4.2.4 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-06-01
Published