Hm, why are so many DrayTek routers stuck in a bootloop?
- Reference: 1742884626
- News link: https://www.theregister.co.uk/2025/03/25/draytek_routers_bootloop/
- Source link:
Pretty much overnight on Saturday, some types of DrayTek routers began rebooting over and over, rendering them inoperable. DrayTek says if that's happening to you, disconnect the router from the internet and try upgrading the firmware. And surely apropos of nothing, don't allow remote administrative access.
"The solution is to disconnect the WAN and then try to upgrade to the latest firmware ... Try the [Trivial File Transfer Protocol] TFTP firmware upgrade if the normal upgrade using the web UI does not work," the manufacturer [1]stated Monday.
[2]
"If remote access is enabled, disable it unless absolutely necessary. Use an access control list (ACL) and enable 2FA if possible. For unpatched routers, disable both remote access (admin) and SSL VPN. Note: ACL doesn’t apply to SSL VPN (Port 443), so temporarily disable SSL VPN until upgraded."
[3]
[4]
The issues, [5]highlighted by ISP Review, showed up on the radar of various telcos. Gamma, which services folks in the UK and Europe, acknowledged that some punters were struggling with their equipment, said the SNAFU wasn't caused by its network, and didn't name DrayTek.
Zen, meanwhile, went from fearing a hardware fault within its own network was causing subscribers to drop offline, to confirming it was a problem with DrayTek gear, and [6]shared pretty much the same recovery instructions the router maker offered.
[7]
ICUK also [8]pointed the finger at DrayTek, and said the kerfuffle was causing a headache for some BT Wholesale and TalkTalk broadband customers. A&A, too, [9]fingered DrayTek, speculated it may all have something to do with recently disclosed buffer-overflow vulnerabilities in the firmware, and offered alternative hardware to customers if they couldn't get their loopy kit working again.
Last October, DrayTek [10]released various [11]security patches for its hardware, including fixing one 10-out-of-10 CVSS severity issue in an end-of-life device.
This month DrayTek highlighted what looks like [12]another bunch [13]of bugs it patched in 2024 that, if exploited, could lead to crashes or the execution of malware.
[14]
Essentially, it's possible someone started trying to, or successfully exploited, these flaws in un-patched DrayTek devices to cause them to crash over and over, at least. Possibly.
[15]700K+ DrayTek routers are sitting ducks on the internet, open to remote hijacking
[16]FBI boss says China 'burned down' 260,000-device botnet when confronted by Feds
[17]China's Salt Typhoon cyber spies are deep inside US ISPs
[18]Despite Russia warnings, Western critical infrastructure remains unprepared
A month before the aforementioned October patches were released, the Five Eyes nations [19]warned [PDF] a Chinese operation was running a network of remote-controlled malware-infected devices, including DrayTek gear. [20]According to then-FBI director Chris Wray, the miscreants realized they had been spotted and shuttered at least part of the 260,000-device botnet.
There are some reports that shifting to the latest firmware won't solve the issue, and folks have had to revert to an earlier build. Problems have also been reported in Australia and across Asia. Please let us know in the forums if you've had this boot loop pain, naming the model number, firmware versions, and general geographical location, if possible.
We've asked DrayTek for clarification and will update this story if we receive more info from the vendor or other sources. ®
Get our [21]Tech Resources
[1] https://faq.draytek.com.au/docs/draytek-routers-rebooting-how-to-solve-this-issue/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z-KM3cSfJO5OfN3j-xW33QAAAJQ&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z-KM3cSfJO5OfN3j-xW33QAAAJQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z-KM3cSfJO5OfN3j-xW33QAAAJQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://www.ispreview.co.uk/index.php/2025/03/broadband-isps-report-uk-connectivity-problems-with-vulnerable-draytek-routers.html
[6] https://servicealerts.zen.co.uk/alert/9225/
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z-KM3cSfJO5OfN3j-xW33QAAAJQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://interstatus.co.uk/
[9] https://aastatus.net/42755
[10] https://www.theregister.com/2024/10/02/draytek_routers_bugs/
[11] https://www.draytek.com/about/security-advisory/buffer-overflow-vulnerability
[12] https://www.draytek.com/about/security-advisory/denial-of-service,-information-disclosure,-and-code-execution-vulnerabilities
[13] https://www.draytek.com/about/security-advisory/buffer-overflow-vulnerabilities-(cve-2024-51138-cve-2024-51139)
[14] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z-KM3cSfJO5OfN3j-xW33QAAAJQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[15] https://www.theregister.com/2024/10/02/draytek_routers_bugs/
[16] https://www.theregister.com/2024/09/18/fbi_flax_typhoon_ransomware/
[17] https://www.theregister.com/2024/09/25/chinas_salt_typhoon_cyber_spies/
[18] https://www.theregister.com/2024/09/18/russia_west_critical_infrastructure/
[19] https://www.ic3.gov/CSA/2024/240918.pdf
[20] https://www.theregister.com/2024/09/18/fbi_flax_typhoon_ransomware/
[21] https://whitepapers.theregister.com/
Had this issue on Sunday with my "untrusted" network which uses an older draytek, now have an openwrt running device in place.
Was at a client yesterday with a 2862 (iirc) which I need to upgrade the firmware on, but I couldn't as the draytek websites were down, so I couldn't get the file.
We have 2 more out there we don't know if are just not being attacked or if are patched atm. But thankfully we'd already moved most sites to something more powerful.
Which Draytek site? I check daily www.draytek.com for patches, and didn't find it down (anyway, here it is... https://fw.draytek.com.tw/Vigor2862/Firmware/v3.9.9.9/) - it was released a month ago.
They are releasing new firmwares for most models, so probably the vulnerability is in one of the library used among them all.
At least Draytek doesn't eol a device the day after it has been announced.
Draytek.co.uk didn't respond, then after a few hours gave a login box, then later moved to a baracuda "this website is using a security service to protect itself from online attacks. The action you just performed triggered this service. There are several actions that could result in being blocked including submitting a certain word or phrase, a SQL command or malformed data." message, before coming back to normal.
draytek.com didn't respond either, but came back up before the co.uk site.
And that link doesn't tell me which modem code it's running, hence needing the UK site.
Don't use you local DratyTek site to look for fimrware updates - go to the main DrayTek one, the firmwares are the same worldwide. What modem code you're using you see from the router itself - even via the CLI.
Are you sure they are the same worldwide? I remember a Draytek modem (admittedly a modem not just a router) that had firmwares ending in _bt if you were on OpenReach.
Correct, current firmware for this unit is 3.9.9.9_BT
Now that you mention it
I have a 2860ac and a 2927ax with the latest firmware from after the last CVE warning and both seemed to be working OK, although over the weekend when I added a new IP bind to the 2927ax and went to save it, I got a warning about the management port number, which I checked out. I could't see an issue or change, so I tried a re-save and it worked.
Both routers were upgraded with the just-released firmware Monday evening
Make of that what you want.
Re: Now that you mention it
We have a 2860n and 2866ax on our two sites, both with approximately year-old firmware, but remote management of course disabled, both also fine. I'm never 100% if there's more risk of introducing bugs with a firmware update, or the update process going wrong, when I have a stable system that's set up in what I consider a secure way, but I guess I better update those two now.
Firmware updates
It did seem as though the Draytek sites (including .com) were down for much of yesterday, and .uk still is. I wonder if the exploitists coordinated a DDOS attack on the firmware update sites, to give them a bigger window to attack the devices.
A few places I work with use EOL Drayteks, and there are no new firmware updates for these at the time of writing. Historically Draytek have been pretty good at updating firmware for EOL products, but it looks as though this attack might signify the end of that policy. Which probably indicates that my loyalty to them is also EOL...
Re: Firmware updates
.co.uk came back up yesterday evening, was up this morning, and down by around 1000 again.
What a balls-up!!!!
Draytek issued 2 advisories last week on the same day 3 hours apart
Straight after the first advisory I checked all my client Draytek routers (around 20) and only one was using vulnerable firmware.
I dutifully informed all my clients.
2 hours later the second email hit stating a newer minimum firmware. Now all but 2 of my clients were susceptible!
I then had to visit all clients over the next day and a half upgrading firmware and reassuring clients.
Yesterday a tech I know who also deploys Draytek called me out of the blue - several of hits client routers were dead and was making the mercy dash to distributor.
Today a client reached out as their ISP notified them of the same issue and noted they had seen a number affected routers.
After that mess I'm testing ACS3 so I can remotely manage and upgrade them all over TRS-069.
Not cheap and a pain to setup as I generally prefer Docker solutions, but looks to be a requirement going forward.
The idea of keeping a router for years is now a serious security issue.
Confusion
The UK firmware site (and wider Draytek UK site) has been intermittently available for the last few days. International sites seem to offer different variants, and different latest versions, for a range of common router models. When presented with a list of alternatives for a given version (e.g. _std, _MDM1, MDM2, .... MDM7), which are we supposed to go for? I'm not going to upgrade until I'm sure, as I don't want to mess up the 'modem code'...
Front page of the web UI shows you the current modem code that's in use like
DSL Version 8D1B17_A/B/C HW: A
You can use that to work out which firmware file to download.
Remote management
Open by default?
That sounds like a Vermin Media trick (though I know a lot of ISPs do it) and surely should be stopped like the easily computed WiFi passwords which were so widespread a few years ago.