CVE-2023-33778

CRITICAL

Draytek MyVigor < 2.3.2 - Use of Hard-coded Credentials

Title source: llm

Description

Draytek Vigor Routers firmware versions below 3.9.6/4.2.4, Access Points firmware versions below v1.4.0, Switches firmware versions below 2.6.7, and Myvigor firmware versions below 2.3.2 were discovered to use hardcoded encryption keys which allows attackers to bind any affected device to their own account. Attackers are then able to create WCF and DrayDDNS licenses and synchronize them from the website.

References (1)

Core 1

Core References

Exploit, Third Party Advisory

https://gist.github.com/Ji4n1ng/6d028709d39458f5ab95b3ea211225ef

Scores

CVSS v3 9.8

EPSS 0.0060

EPSS Percentile 44.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-798

Status published

Products (50)

draytek/myvigor < 2.3.2

draytek/vigor1000b_firmware < 3.9.6

draytek/vigor130_firmware < 3.9.6

draytek/vigor165_firmware < 3.9.6

draytek/vigor166_firmware < 3.9.6

draytek/vigor167_firmware < 3.9.6

draytek/vigor2135ac_firmware < 3.9.6

draytek/vigor2135ax_firmware < 3.9.6

draytek/vigor2135fvac_firmware < 3.9.6

draytek/vigor2135vac_firmware < 3.9.6

... and 40 more

Published Jun 01, 2023

Tracked Since Feb 18, 2026