CVE-2023-33778 — CRITICAL (9.8)

Q: How severe is CVE-2023-33778?

CVE-2023-33778 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2023-33778?

Check the references section above for vendor advisories and patch information. Affected products include: Draytek Myvigor, Draytek Vigorswitch Pq2200Xb Firmware, Draytek Vigorswitch Pq2200Xb, Draytek Vigorswitch Pq2121X Firmware, Draytek Vigorswitch Pq2121X.

Vulnerability Description

Draytek Vigor Routers firmware versions below 3.9.6/4.2.4, Access Points firmware versions below v1.4.0, Switches firmware versions below 2.6.7, and Myvigor firmware versions below 2.3.2 were discovered to use hardcoded encryption keys which allows attackers to bind any affected device to their own account. Attackers are then able to create WCF and DrayDDNS licenses and synchronize them from the website.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Draytek	Myvigor	< 2.3.2
Draytek	Vigorswitch Pq2200Xb Firmware	< 2.6.7
Draytek	Vigorswitch Pq2200Xb	-
Draytek	Vigorswitch Pq2121X Firmware	< 2.6.7
Draytek	Vigorswitch Pq2121X	-
Draytek	Vigorswitch P2540Xs Firmware	< 2.6.7
Draytek	Vigorswitch P2540Xs	-
Draytek	Vigorswitch P2280X Firmware	< 2.6.7
Draytek	Vigorswitch P2280X	-
Draytek	Vigorswitch P2100 Firmware	< 2.6.7
Draytek	Vigorswitch P2100	-
Draytek	Vigorswitch Q2200X Firmware	< 2.6.7
Draytek	Vigorswitch Q2200X	-
Draytek	Vigorswitch Q2121X Firmware	< 2.6.7
Draytek	Vigorswitch Q2121X	-
Draytek	Vigorswitch G2540Xs Firmware	< 2.6.7
Draytek	Vigorswitch G2540Xs	-
Draytek	Vigorswitch G2280X Firmware	< 2.6.7
Draytek	Vigorswitch G2280X	-
Draytek	Vigorswitch G2121 Firmware	< 2.6.7

Related Weaknesses (CWE)

CWE-798

References

https://gist.github.com/Ji4n1ng/6d028709d39458f5ab95b3ea211225efExploitThird Party Advisory
https://gist.github.com/Ji4n1ng/6d028709d39458f5ab95b3ea211225efExploitThird Party Advisory

FAQ

What is CVE-2023-33778?

CVE-2023-33778 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Draytek Vigor Routers firmware versions below 3.9.6/4.2.4, Access Points firmware versions below v1.4.0, Switches firmware versions below 2.6.7, and Myvigor firmware versions below 2.3.2 were discover...

How severe is CVE-2023-33778?

CVE-2023-33778 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2023-33778?

Check the references section above for vendor advisories and patch information. Affected products include: Draytek Myvigor, Draytek Vigorswitch Pq2200Xb Firmware, Draytek Vigorswitch Pq2200Xb, Draytek Vigorswitch Pq2121X Firmware, Draytek Vigorswitch Pq2121X.