Networking hardware maker DrayTek released an advisory warning that several Vigor router models contain a vulnerability, tracked as CVE-2025-10547, that could allow unauthenticated remote actors to execute arbitrary code. The flaw was reported to the vendor on July 22 by ChapsVision security researcher Pierre-Yves Maes, the advisory said; more information is available in reads DrayTek’s security advisory.
DrayTek’s advisory says “The vulnerability can be triggered when unauthenticated remote attackers send crafted HTTP or HTTPS requests to the device’s Web User Interface (WebUI).” It adds that “Successful exploitation may cause memory corruption and a system crash, with the potential in certain circumstances could allow remote code execution,” according to the bulletin.
The root cause of CVE-2025-10547 is an uninitialized stack value that can be leveraged to cause the free() function to operate on arbitrary memory locations, an “arbitrary free()” condition that can be chained to achieve remote code execution. The researcher said he successfully created an exploit and ran it on DrayTek devices.
DrayTek listed a broad range of impacted models and recommended firmware targets to mitigate the flaw: Vigor1000B, Vigor2962, Vigor3910/3912 → 4.4.3.6 or later (some models 4.4.5.1); Vigor2135, Vigor2763/2765/2766, Vigor2865/2866 Series (incl. LTE & 5G), Vigor2927 Series (incl. LTE & 5G) → 4.5.1 or later; Vigor2915 Series → 4.4.6.1 or later; Vigor2862/2926 Series (incl. LTE) → 3.9.9.12 or later; Vigor2952/2952P, Vigor3220 → 3.9.8.8 or later; Vigor2860/2925 Series (incl. LTE) → 3.9.8.6 or later; Vigor2133/2762/2832 Series → 3.9.9.4 or later; Vigor2620 Series → 3.9.9.5 or later; and VigorLTE 200n → 3.9.9.3 or later.
DrayTek noted that WAN exposure can be reduced by disabling remote WebUI or SSL VPN access or by restricting access with ACLs or VLANs, but said the WebUI remains reachable over LAN and therefore exposed to local attackers. The company’s bulletin does not mention ongoing exploitation. System administrators are recommended to apply the available firmware security updates as soon as possible; Maes said he will disclose the full technical details for CVE-2025-10547 tomorrow.