Overview
- CVE-2025-10547 stems from an uninitialized variable in DrayOS’s LAN WebUI code that can be triggered by crafted HTTP or HTTPS requests to cause memory corruption and enable remote code execution.
- The flaw is reachable on the local network via the WebUI and can be attacked over the internet if EasyVPN is active or if remote administration and SSL VPN services are exposed.
- CERT published VU#294418 on October 3, credited researcher Pierre‑Yves Maes of ChapsVision, and formalized the CVE details and remediation guidance.
- DrayTek released firmware updates for dozens of Vigor models and recommends disabling or restricting remote WebUI/SSL VPN access with ACLs or VLANs until devices are patched.
- DrayTek reports no evidence of exploitation in the wild, while the reporting researcher says he successfully tested an exploit and plans to release technical details soon.