Hm, why are so many DrayTek routers stuck in a bootloop? DrayTek router owners in the UK and beyond had a pretty miserable weekend after some ISPs began to notice a bunch of their customers' gateways going offline. Pretty much overnight on Saturday, a good number of some types of DrayTek routers began rebooting over and over, rendering them inoperable. DrayTek says if that's …
Nope. It defaults to off (ie LAN only), but Drayteks are used by a lot of small businesses who might want remote management (we used to use them for just this purpose). You can set a list of allowed IPs, but there's always people who'll ignore that 'just to get it working' and forget to go back and turn it on later.
And CenturyLink leaving the TR-069 port (4567) accessible to world+dog, without bothering to tell their tech support folks that it exists.
But that wasn't why I left - it was the "ok, we transferred service to your new address on the day you requested, you're good to go", "it doesn't work", "that's a separate ticket, we should have somebody there in a week to take a look" that convinced me to go elsewhere. (Not to mention they could only deliver 10 Mbps at the new address, but still wanted to charge the same as the 30 at the previous...)
Had this issue on Sunday with my "untrusted" network which uses an older draytek, now have an openwrt running device in place.
Was at a client yesterday with a 2862 (iirc) which I need to upgrade the firmware on, but I couldn't as the draytek websites were down, so I couldn't get the file.
We have 2 more out there we don't know if are just not being attacked or if are patched atm. But thankfully we'd already moved most sites to something more powerful.
Which Draytek site? I check daily www.draytek.com for patches, and didn't find it down (anyway, here it is... https://fw.draytek.com.tw/Vigor2862/Firmware/v3.9.9.9/) - it was released a month ago.
They are releasing new firmwares for most models, so probably the vulnerability is in one of the library used among them all.
At least Draytek doesn't eol a device the day after it has been announced.
Draytek.co.uk didn't respond, then after a few hours gave a login box, then later moved to a baracuda "this website is using a security service to protect itself from online attacks. The action you just performed triggered this service. There are several actions that could result in being blocked including submitting a certain word or phrase, a SQL command or malformed data." message, before coming back to normal.
draytek.com didn't respond either, but came back up before the co.uk site.
And that link doesn't tell me which modem code it's running, hence needing the UK site.
If it is a BT supplied router it can have customized firmware - just like any other router on the market. If it is a standard DrayTek router the firmware are the same. xDSL modem/routers may be available with different "modem codes" which are made for different xDSL settings around the world - but usually they are not specific to a provider.
I have a 2860ac and a 2927ax with the latest firmware from after the last CVE warning and both seemed to be working OK, although over the weekend when I added a new IP bind to the 2927ax and went to save it, I got a warning about the management port number, which I checked out. I could't see an issue or change, so I tried a re-save and it worked.
Both routers were upgraded with the just-released firmware Monday evening
Make of that what you want.
We have a 2860n and 2866ax on our two sites, both with approximately year-old firmware, but remote management of course disabled, both also fine. I'm never 100% if there's more risk of introducing bugs with a firmware update, or the update process going wrong, when I have a stable system that's set up in what I consider a secure way, but I guess I better update those two now.
FWIW I never had a single problem with the firmware upgrade process when I used to be responsible for a fleet of 40-odd 2832's. Even though some of them were at the other end of very poor ADSL connections.
Keeping up to date with security patches is heartily recommended.
It did seem as though the Draytek sites (including .com) were down for much of yesterday, and .uk still is. I wonder if the exploitists coordinated a DDOS attack on the firmware update sites, to give them a bigger window to attack the devices.
A few places I work with use EOL Drayteks, and there are no new firmware updates for these at the time of writing. Historically Draytek have been pretty good at updating firmware for EOL products, but it looks as though this attack might signify the end of that policy. Which probably indicates that my loyalty to them is also EOL...
Draytek issued 2 advisories last week on the same day 3 hours apart
Straight after the first advisory I checked all my client Draytek routers (around 20) and only one was using vulnerable firmware.
I dutifully informed all my clients.
2 hours later the second email hit stating a newer minimum firmware. Now all but 2 of my clients were susceptible!
I then had to visit all clients over the next day and a half upgrading firmware and reassuring clients.
Yesterday a tech I know who also deploys Draytek called me out of the blue - several of hits client routers were dead and was making the mercy dash to distributor.
Today a client reached out as their ISP notified them of the same issue and noted they had seen a number affected routers.
After that mess I'm testing ACS3 so I can remotely manage and upgrade them all over TRS-069.
Not cheap and a pain to setup as I generally prefer Docker solutions, but looks to be a requirement going forward.
The idea of keeping a router for years is now a serious security issue.
My router is at over ten years old and doing everything I need it to do and TBH spending £250 to replace something that has never clocked any errors is questionable from and environmental PoV.
Question here is how long should vendors continue to provide security patches for their hardware? No problems with not getting feature updates, but security patches are the sort of thing that I would expect the EU to get interested in.
The idea of keeping a *Draytek* router for years is now a serious security issue.
FTFY
It's a shame, as it's something I've done for well over a decade without issues (because I never enable remote admin). But I guess all things must pass, and it's finally time to get to grips with OpenWRT...
Seems a bit of an over-reaction in my view. Every manufacturer has vulnerabilities show up now and then but DrayTek release plenty of firmware upgrades even for pretty old routers and which in my long experience have rarely introduced new problems. I did recently switch to a router running OpenWRT at home (it's Mikrotik hardware but RouterOS is diabolically irritating in places and they seem particularly bad at introducing new problems with firmware upgrades.)
I love OpenWRT, the flexibility is incredible and "unattended sysupgrades" bring the upgrade procedure more in line with what I'm used to, but even there I was left with no PoE output after the last firmware upgrade. I don't see myself boycotting DrayTek any time soon, their upgrade processes are as good and as reliable as I've seen - which really matters when you might be several hours away from the physical device.
I'll agree with your over-reaction assessment if someone can explain to me why a browser is throwing a security error when trying to access the firmware update page via an unpatched router, while the same browser isn't showing any errors when accessing the same page via a patched (different) Draytek router. Some of the online noise suggests that the bad stuff may not be limited to reboot cycles, and might result in code execution and possible facilitate MitM attacks.
I'm reluctant to write Draytek off, for the same reasons as you - but they are not being very forthcoming about exactly what kind of threats this latest bunch of hacks might involve. In conjunction with the symptom above, this leaves me a bit worried.
That rather depends on what security error your browser was showing. If it's "hey the self signed SSL certificate is... self signed" or, judging by the date on my Draytek's SSL cert, it is baked into the firmware and expires in about a year so not upgrading looks likely to give you a cert expired error. Which might encourage you to go in search of an update...
> “After that mess I'm testing ACS3 …
Not cheap”
Agree it’s not cheap plus being a per node subscription …
Might be worth talking to BroadbandBuyer and investigating EssCloud, their hosted version of ACS3.
It has always irritated me that I could not download and setup a 100 day trial ACS - like MS did with Windows Server, which was great for learning and proof of concept.
The UK firmware site (and wider Draytek UK site) has been intermittently available for the last few days. International sites seem to offer different variants, and different latest versions, for a range of common router models. When presented with a list of alternatives for a given version (e.g. _std, _MDM1, MDM2, .... MDM7), which are we supposed to go for? I'm not going to upgrade until I'm sure, as I don't want to mess up the 'modem code'...
The modem code doesn't mess up anything - you may just encounter lower performance on your xDSL line with some modem codes than others. If so, just select a different modem code, or switch to a different firmware. If you have an ISP branded router, you may want to use its specific version. It might be "optimized" somehow, it could just have the TR-069 settings and little more on board.
Th only thing "dangerous" is there are specific firmware versions that reset the device to factory settings. If you didn't exported your settings, you have to re-configure the device from scratch.
We support over 50 Draytek routers at various customer sites. Some of them were affected, starting Saturday night with them going into reboot loops. The trick is to upgrade the firmware. You might need to disconnect the WAN to stop the reboot loops from happening.
However, with some of the problematic routers, we managed to do a firmware upgrade over the internet. Drayteks have a very good firmware recovery feature, which reverts if an update is corrupted, and even if it detects multiple reboots.
NOTE: Doing a factory default reset doesn't fix the problem.
It seems that the problem is that these routers are being bombarded by data that exploits this bug, which is why disconnected the WAN stops the reboot loop. It does not appear than any firmware is itself corrupted.
If you are unable to do a firmware update (for example, a router is too old), what you can do is:
1. Disable SSL VPN or change the default VPN port to something else (e.g 10443)
2. Disable remote management, but also change the default SSL port from 443 to something else (e.g. 8443).
Because the exploit uses a buffer overflow on port 443, disabling these ports stops the reboot loops.
Of course, the whole things is rather complex if you can't get in to the router because it's rebooting all the time. If you have someone on site who is reasonably adapt, you can talk them through the process.
We mitigated against continued problems by patching existing, unaffected routers that hadn't already been patched. The thing with this exploit is that it didn't affect all our routers. Possibly, what's happened is that the 'hackers' did some reconnaissance over the preceding months, scanning ranges of IP addresses for unpatched draytek routers. This explains why not all the routers were effected: they just hadn't scanned those IP addresses.
It was relatively easy to get everyone back up and running and (touch wood) we haven't had any further problems.
Oh, I wouldn't buy a DrayTek to run OpenWrt.
Try a GL.iNET Flint. One hundred & sixteen quid gets you a 64-bit quad-core ARMv8, 1GB RAM, 8GB flash, two 2.5Gbps & four 1gbps Ethernet ports, separate 2.4GHz & 5GHz WiFi phys, USB3, running latest OpenWrt or GL.iNet's front-end on top if you prefer. Linux DSA architecture but you can let the 5-port switch do all the VLAN switching work itself as well and NAT & flow offloading to the WiFi & Ethernet hardware means the CPU is laregely free for other uses.
What exactly, can your proprietary router do that this cannot? And how much do you have to pay for that propietary router - at least five times more than I did for similar spec & functionality.
When just running as a router, my CPU usage barely gets out of the sub-5% range. So I can run services like NFS, Samba, Apache, Postfix, Dovecot or Asterisk natively or there are plenty of Docker images that run fine too.
Fully open source including the build environment so I can tweak & build the firmware myself if I want to or just use the web builder or the package manager post installation. And no vendor lock-in.
Zen sent me a Draytek router when I signed up and after looking at it for approximately six seconds I decided the vibes were bad and went back to the Netgear I had been using before, which wasn't too hard to configure to do the same job. Now the Draytek only gets switched on when I'm on the phone to support and they insist I use the hardware they posted out.
It seems my hardware vibe-checks really came through that day. Perhaps it's an advantage of advancing age to have a sense for shite hardware...
Have you seen how many flaws have been found in Netgear devices? DrayTek are clearly not perfect but there's a reason the vast majority of SMEs I've dealt with use their routers and it's not price. "Vibes" are really not a good way of choosing IT equipment where the important stuff is invisible... I've nothing in particular against Netgear, if I only have the budget for bargain basement stuff I will use it but there's no way I'd use one of their routers over a DrayTek.
Zen here too at two SOHO residential sites and I got FRITZ!Boxes too with built-in FSX & DECT telephony. Only use them for telephony & the VDSL modems - use OpenWrt for everything else.
FRITZ!Box are way better than what you'll get from the main ISPs though and they do get upgrades from AVM from time to time.
I wouldn't buy Netgear, D-Link or Cisco routers or access points ever, except for comsumer use where I know they can be converted to open source. (Netgear WAC124s used to convert to surprisingly good gateway routers for ~ 50Mbps DSL connections and they cost diddly-squat.)
If one must choose proprietary, DrayTek are okay. But there are several 'industrial grade' hardware manufacturers that support open source projects like OpenWrt directly.
I have a few r7800's. One is stock and surprisingly had an update a little while ago
The others are dd-wrt, did look at open wrt when kong moved over, but I don't do enough to warrant me getting that stuck into the cli
Much better for security. Though done feature do get lost or slower
Fond memories of done old draytek's from segcom on cix
I have dozens of Drayteks out there, under my care.
One customer contacted me on Sunday afternoon with this exact issue. I assumed router had failed (about 8 years old) and ordered a new one on Monday, which arrived today (Tuesday).
However, on Monday evening I saw that it was staying up for 10-15 minutes before rebooting (previously it would barely be up for about 20 seconds before going down) and during that time, noticing the f/w was a year or two old, managed to re-flash it with the latest version, and it has stayed up since then.
I'm now going to have to check the rest of them, and update remotely. These are scattered all over the country, in all kinds of unmanned and somewhat inaccessible locations. Not an easy nor quick task and one that is fraught if it bricks. I don't fancy the 900 mile round trip to get local access!
Some of these are only reporting telemetry data back, so frequent reboots might not be immediately apparent . Fortunately some of the more inaccessible ones are on 4G connections, so not directly accessible from the wild west of the internet. None of them have management from the internet enabled, but they all have incoming VPN enabled for me to manage.
Jeez, I am seriously upset about this. I had been thinking of looking for something other than Drayteks for a while ,maybe now is the time to move on.....
Hi,
I feel for you.
I've managed to brick around 4 Draytek routers over the years trying to update via web interface remotely (even over VPN) so I don't risk it these days - except for one client which is interstate.
That's why I'm testing ACS3 right now which is a pain to setup. TRS-069 seems to be the only reliable way forward for remote updates unless I switch all routers to something like the Synology routers which do auto updates and remote updates without issue.
The big issue is alot of clients are on VDSL type connections so I'd need a VDSL modem in between which just complicates things.
I used a lot of DrayTek routers early in my I.T. career, and they were unbeatable on price, features and support. But they're also quite ... eccentric. After having exposure to mainstream enterprise products (Palo Alto, Fortinet, Juniper, Cisco, etc.), I felt pretty "cramped" going back to working on DrayTeks.
In recent years, Netgate has replaced DrayTek as my weapon of choice in the SME or SOHO space - particularly the pfSense-based routers. They tend not to come with built-in modems or Wi-Fi, but on other features (firewall, NAT, logging & monitoring, DNS resolver, etc.), they blow equivalent DrayTeks out of the water. You can add packages as you require (e.g. Snort, Wireguard, haproxy, Squid, etc.). And the devices normally receive updates for a long time. I have an SG-1100 at home, which was released in 2019, and there's no sign yet of Netgate announcing an EOL. Still regularly updated. (For SME I use larger appliances - 2100 and 4200.)
Yes, you can run pfSense on lots of other hardware, but for an SME, it makes sense to go with a supported device. The main drawback is that their "Multi-Instance Management" implementation is still very early stage. If you're managing a fleet of routers, maybe try Sophos XG. Not as strong a value proposition as Netgate, but more mainstream, while being (IMHO) more accessible than any of the Gartner leaders.
At my previous place we also supplied Draytek for anything but the most basic installs.
As you say, they are a little eccentric in the way the UI works, and the interaction between features. But like a lot of things, once you get the hang of them, quite versatile and decent price for the features.
.....after the last reg article pointed to a pdf that showed how they were putting sticking plaster over past disclosed vulnerabilities
closed source ... stay away.... the suits will always override the techs and keep the decision hidden behind closed doors .. its all about the money honey :)
all now replaced with opnsense running on no name small entry level x86 boxes (with intel nic's)
ps can even get two and put them in HA ... https://docs.opnsense.org/manual/hacarp.html
On the 13th Feb I got two emails from Draytek, one listing 8 vulnerabilities. One highlighting two critical vulnerabilities that were listed in the previous email.
The critical vulnerabilities;
CVE number CVSS
CVE-2024-51138 9.8
CVE-2024-51139 9.8
Both led to buffer overflow.
Guidance about the update stated the following;
3. If remote access is enabled:
Disable it unless absolutely necessary.
Use an access control list (ACL) and enable 2FA if possible.
For unpatched routers, disable both remote access (admin) and SSL VPN.
Note: ACL doesn't apply to SSL VPN (Port 443), so temporarily disable SSL VPN until upgraded.
As has been previously commented, recommended minimum firmware was listed differently in the emails.
Fortunately I do not use VPN or remote access, both are disabled. I updated the firmware, to the most recent, the following day and have had no issues.
I was fortunate. I have easy access, on site, to this equipment. I really feel for those that support this stuff remotely.
I would suggest however that many people buy Draytek because it is reliable SME level kit that plays well as an ecosystem.
Some of the users of such kit may leave it on a shelf or in a cupboard a little neglected as Draytek doesn’t seem to get attacked as much as other larger providers.
If anything this story should give us an idea of how much kit is out there and perhaps prod us all to make sure we maintain it?
Honestly I sleep better at night knowing my Draytek kit is maintained rather than other stuff that “auto updates” but doesn’t offer you the ability to check/force an update,
Well that's true if all of the below are true :
* You have no mobile signal and can't access it that way
* You have no alternative router you can use, even temporarily, to access it
* There's no other site you can go to where it can be downloaded
* Extend that to home, your own office (if it's not your home site), any other office, a mates home, a friend's office, your local coffee shop/fast food outlet/shop/whatever that has WiFi available
Now, I can imagine that there are some out of the way sites where those are inconvenient, but seriously, these days it's not that hard to get online.
update on the Austrailian Draytek page...... might be on other Draytek pages too..... have not fully checked.
https://faq.draytek.com.au/docs/draytek-routers-rebooting-how-to-solve-this-issue/
Looks like it is 2760, 2762, 2860, 2862, 2133 models affected.
I had a older 2862 on 3.9.9.1 firmware go down. Managed toupdate to 3.9.9.9 and it has been fine since. 3.9.9.9 seems to be the latest for this box,
I have multiple 2685's (newer, updated model of 2862) and they all seems OK. They are on roughly 4.4.1_BT firmware.
So, my guess is that the older (2862) boxes have only been supported upto 3.9 firmware and have this issue. A new 3.9.9.9 software fixes this.
Later models, 2865, etc, are on version 4.4 and don't have the issue.
I also have some 2927's and they seem OK. All are on 4.4.5 or thereabouts. Having just checked a couple they are flagging up that new firmware is available.
That's my understanding of the situation - yours may vary! Hope it is of some help to fellow commentards. Enjoy your patchday Wednesday!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2026
