Models Affected: See table below

Priority: Critical

Action Required: Ensure ACL is enabled in System Maintenance. Disable SSL VPN. Disable Remote Management. Update to latest firmware where available

On July 22 2025, a security vulnerability was identified in DrayOS routers. The vulnerability can be triggered when unauthenticated remote attackers send crafted HTTP or HTTPS requests to the device's Web User Interface (WebUI). Successful exploitation may cause memory corruption and a system crash, with the potential in certain circumstances could allow remote code execution.

Routers are shielded from WAN-based attacks if remote access to the WebUI and SSL VPN services is disabled, or if Access Control Lists (ACLs) are properly configured. Nevertheless, an attacker with access to the local network could still exploit the vulnerability via the WebUI. Local access to the WebUI can be controlled on some models using LAN side VLANs and ACLs. To ensure full protection, we strongly recommend upgrading the firmware to the minimum version specified below: