Taiwanese networking firm DrayTek has responded to a wave of unexplained router reboots affecting users worldwide—but the root cause remains unclear. Despite issuing updates and advisories, several key questions about the DrayTek router reboot vulnerability are still unanswered, raising concerns in the cybersecurity community.
Starting in late March, DrayTek customers across the UK, Australia, and other regions began reporting constant reboots on their routers. These disruptions led to severe internet connectivity issues, prompting speculation that a security vulnerability was being actively exploited. However, at the time, DrayTek offered no concrete details on what flaw might be responsible.
DrayTek Points to Legacy Models and Outdated Firmware
As reports continued to rise, DrayTek issued a second advisory. This time, the company clarified that the issue mainly affects older Vigor router models running outdated firmware versions.
The company stated that its investigation revealed repeated, suspicious TCP connection attempts targeting the routers. These connections came from IP addresses with known malicious reputations. Devices were found to be vulnerable if SSL VPN or Remote Management features were enabled—especially if they lacked proper protection like an Access Control List (ACL).
In DrayTek’s words:
“These attempts could trigger the router to reboot in unpatched devices if those devices have SSL VPN Enabled, or Remote Management enabled without the protection of an Access Control List (ACL).”
DrayTek confirmed that firmware patches had been released as far back as 2020 to mitigate this issue, though exploitation in the wild is only now being observed.
Still No Confirmation on Exact Exploit
One major concern remains: no specific vulnerability has been definitively identified as the trigger for the router reboots. Security experts and users alike are left guessing whether the reboots are a side effect of a failed attack or a deliberate tactic used by threat actors.
On March 26, DrayTek acknowledged via the platform X (formerly Twitter) that the issue may relate to a vulnerability disclosed in early March. Yet, they didn’t specify which flaw.
Earlier in the month, DrayTek had disclosed two advisories:
- One covered six vulnerabilities affecting Vigor routers, enabling denial-of-service (DoS) attacks, information leaks, and even remote code execution.
- The other detailed two additional code execution flaws, with firmware patches reportedly available since fall 2024.
GreyNoise Observes Exploitation Attempts
Adding to the confusion, cybersecurity firm GreyNoise recently published a blog analyzing DrayTek-targeted attacks. The company reported observing exploitation attempts against three known vulnerabilities:
- CVE-2020-8515
- CVE-2021-20123
- CVE-2021-20124
However, even GreyNoise couldn’t confirm whether these specific flaws are behind the recent surge in router reboots. This leaves users with more questions than answers.
Urgent Call to Action for DrayTek Users
Although DrayTek has not identified a single culprit, it urges all users—especially those with older devices—to immediately:
- Update firmware to the latest version
- Disable unnecessary remote access features
- Implement ACLs to restrict external access
These proactive steps are crucial in preventing further disruptions and potential exploitation.
Final Thoughts: Transparency Still Lacking
Despite multiple advisories and security updates, the full scope of the DrayTek router reboot vulnerability remains murky. Without clear identification of the flaw or attacker motivations, users are left relying on vague advisories and patch timelines from 2020.
As cyber threats become more sophisticated, router vendors like DrayTek must offer transparent, timely updates to help users safeguard their infrastructure. Until then, the mystery behind these sudden router reboots continues to cast a shadow over user trust and device security.Taiwanese networking firm DrayTek has responded to a wave of unexplained router reboots affecting users worldwide—but the root cause remains unclear. Despite issuing updates and advisories, several key questions about the DrayTek router reboot vulnerability are still unanswered, raising concerns in the cybersecurity community.
Starting in late March, DrayTek customers across the UK, Australia, and other regions began reporting constant reboots on their routers. These disruptions led to severe internet connectivity issues, prompting speculation that a security vulnerability was being actively exploited. However, at the time, DrayTek offered no concrete details on what flaw might be responsible.
