Remote Code Execution Vulnerability in Vigor Routers by Draytek
CVE-2025-10547

9.8CRITICAL

Key Information:

Vendor: Draytek Corporation
Status: Vigor1000b; Vigor2962; Vigor3910; Vigor3912
Vendor: CVE Published:; 3 October 2025

🔔 Create Draytek Corporation Vulnerability Alert

Badges

📰 News Worthy

What is CVE-2025-10547?

An uninitialized variable flaw in the HTTP CGI request processing of Vigor Routers can enable attackers to exploit memory corruption, potentially leading to remote code execution on affected devices. This vulnerability highlights the importance of robust input validation and memory management practices in network hardware.

Affected Version(s)

Vigor 2927 LTE 0 < 4.5.1

Vigor1000B 0 < 4.4.5.1

Vigor2135 0 < 4.5.1

News Articles

BleepingComputer

CVE-2025-10547

DrayTek warns of remote code execution bug in Vigor routers

Networking hardware maker DrayTek released an advisory to warn about a security vulnerability in several Vigor router models that could allow remote, unauthenticated actors to execute perform arbitrary code.

References

https://www.draytek.com/about/security-advisory/use-of-un...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 3, 2025
📰
First article discovered by BleepingComputer
Oct 2, 2025
Vulnerability Reserved
Sep 16, 2025

JSON