Security Intelligence
Customers of several internet service providers (ISPs) in the U.K. and Europe that rely on DrayTek residential-grade routers for connectivity have faced widespread disruptions since March 22 due to a persistent reboot loop issue. The problem, which affected multiple DrayTek router models, caused devices to restart continuously, leaving many users without stable internet access.
The issue primarily impacted U.K.-based ISPs, including Gamma, Zen Internet, ICUK, and Andrews & Arnold (A&A), whose customers rely on DrayTek routers for home and business networking. Similar disruptions were also reported in Australia and other regions, suggesting a global-scale problem.
Stay on top of emerging threats.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
While the exact cause remains unclear, some ISPs speculated that the issue could have been triggered by a faulty software update, a misconfiguration, or even an attempted cyberattack.
DrayTek hasn’t officially stated what the problem was, but it has released firmware updates to address the problem, advising users to apply the patches, disable certain remote access features, and manually restart their devices if necessary.
Source: Bleeping Computer
Analysis
DrayTek is a Taiwan-based manufacturer of networking equipment, including routers, that are widely used by small to medium-sized businesses and consumers worldwide. In the United Kingdom, DrayTek's Vigor routers are a familiar name in the broadband ISP market.
Scan for internet-exposed DrayTek routers showing large concentrations in the U.K., Europe, and Australia. (Source: Shadow Server)
DrayTek routers have experienced security vulnerabilities in the past. For instance, In October 2024, 14 new security vulnerabilities were identified in 24 models of DrayTek's Vigor routers, with one vulnerability receiving a Common Vulnerability Score (CVSS) of 10 out of 10.
Additionally, these vulnerabilities have been exploited in ransomware campaigns, where attackers infiltrated networks, stole credentials, and deployed ransomware. Compromised DrayTek routers have also been weaponized to form botnets, which can be used to launch massive distributed denial-of-service (DDoS) attacks.
These incidents underscore the importance of regularly updating router firmware and monitoring network equipment for potential vulnerabilities to maintain network security.
Mitigation
Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for emerging threats to hardware like DrayTek routers. Field Effect MDR users are automatically notified if if vulnerable hardware is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Field Effect strongly encourages users of the impacted DrayTek routers to upgrade to the latest firmware in accordance with DrayTek’s advisory as soon as possible.
