Two old vulnerabilities affecting a DrayTek product have been exploited by multiple threat groups to target organizations worldwide, SecurityWeek has learned.

The US cybersecurity agency CISA this week added to its Known Exploited Vulnerabilities (KEV) catalog two flaws found by Tenable researchers in 2021 in DrayTek VigorConnect, a management software for DrayTek network equipment. 

The exploited flaws, tracked as CVE-2021-20123 and CVE-2021-20124, have been described as path traversal issues that can allow an unauthenticated attacker to download arbitrary files from the underlying operating system with root privileges. The vulnerabilities were patched by the vendor back in October 2021. 

There do not appear to be any public reports describing in-the-wild attacks in which these DrayTek vulnerabilities have been exploited. However, SecurityWeek noticed a Fortinet IPS advisory created in June 2024 and updated in late July that mentioned CVE-2021-20123 being exploited in attacks.

Val Saengphaibul, director of threat response at FortiGuard Labs, told SecurityWeek that the company has seen CVE-2021-20123 being exploited in a worldwide campaign targeting various industries, including finance payroll, networking, manufacturing, real estate, telecom, and technology (storage, software and hardware companies). 

“At this time, we do not see any specific attacks, as they appear to be broad in scope and not targeting a specific region or vertical,” Saengphaibul said. “We do not believe that this is the work of a specific group, but multiple threat actor groups trying to exploit this vulnerability to exfiltrate data from affected organizations.”

Saengphaibul noted that there was a spike in exploitation attempts on August 28 and 29, which may be what prompted CISA to add the vulnerabilities to its KEV catalog.  

“Although this vulnerability is several years old, this highlights that threat actors are always seeking to exploit unpatched machines due to the fact that many organizations aren’t very proactive about patching for a multitude of reasons,” Saengphaibul added.

While Fortinet has not mentioned CVE-2021-20124, it’s safe to assume that it has been exploited in the same attacks as CVE-2021-20123.

Hackers targeting DrayTek products in their campaigns is not unheard of. In 2018, threat actors exploited a zero-day to change DNS settings in DrayTek routers, and two years later news broke about two other zero-days being exploited to target the company’s enterprise routers. 

A Shodan search for DrayTek shows more than 600,000 results so it’s not surprising that the company’s products are being targeted by threat actors. 

Related: Hackers Target Vulnerability Found Recently in Long-Discontinued D-Link Routers

Related: Mysterious Threat Actor Used Chalubo Malware to Brick 600,000 Routers