Updates have been issued by DrayTek to resolve 14 security flaws impacting two dozen router models, which are mostly being used by businesses, SC Media reports.
Nearly 704,525 internet-exposed DrayTek devices could be compromised in attacks exploiting the vulnerabilities, the most critical of which was the maximum severity buffer overflow issue, tracked as CVE-2024-41492, which could be used to enable remote code execution or denial-of-service, according to a report from Forescout Research's Vedere Labs, which discovered and reported the bugs.
Additional findings revealed that the latest DrayTek firmware had only been applied in less than 3% of the exposed instances. Almost 38% of such implementations remained vulnerable to older bugs of a similar nature, which cybersecurity experts noted indicates inadequate vulnerability analysis on DrayTek's end.
"Someone finding 14 new vulnerabilities at the same time likely tells you that extensive vulnerability testing was not done by the vendor. The larger reality is that this same finding is likely true about the majority of internet-connected devices and this is just the one we are learning about today," said KnowBe4's Roger Grimes.