More than 800,000 DrayTek routers at risks due to a mysterious zero-day exploit

Pierluigi Paganini May 19, 2018

DrayTek routers are affected by a zero-day vulnerability that could be exploited by attackers to change DNS settings on some models.

Routers manufactured by the Taiwan-based vendor DrayTek are affected by a zero-day vulnerability that could be exploited by attackers to change DNS settings on some of its routers.

DrayTek confirmed to be aware that hackers are attempting to exploit the zero-day vulnerability to compromise its routers.

Many users reported on Twitter cyber attacks against its routers, in these cases, hackers have changed DNS settings of the routers to point to a server having the 38.134.121.95 IP address on the network of China Telecom.

It is likely attackers are conducting a Man-in-the-Middle attack to redirect users to bogus clones of legitimate sites to steal their credentials.

DrayTek published a security advisory warning of the attacks and providing instructions on how to check and correct DNS settings.

“In May 2018, we became aware of new attacks against web-enabled devices, which includes DrayTek routers. The recent attacks have attempted to change DNS settings of routers.” reads the security advisory.

” If you have a router supporting multiple LAN subnets, check settings for each subnet. Your DNS settings should be either blank, set to the correct DNS server addresses from your ISP or DNS server addresses of a server which you have deliberately set (e.g. Google 8.8.8.8). A known rogue DNS server is 38.134.121.95 – if you see that, your router has been changed. “

The company is already working on a firmware updates to patch the issue.

DrayTek published a second advisory that includes the list of devices and firmware versions that it is going to release in the coming days.

Initially, the company suspected that victims of the attacks were using DrayTek routers with default credentials, but one of them clarified that its device wasn’t using factory settings, a circumstance that confirms that attackers are in possession of a zero-day exploit.

https://twitter.com/GossiTheDog/status/997410290869432320

https://twitter.com/GossiTheDog/status/997410932727959552

https://twitter.com/GossiTheDog/status/997437742295416832

Searching for DrayTek routers online with Shodan we can find more than 800,000 connected devices connected online, some of them could be potentially compromised with the mysterious exploit.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – DrayTek routers, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini July 23, 2025

U.S. CISA urges FCEB agencies to fix two Microsoft SharePoint flaws immediately and added them to its Known Exploited Vulnerabilities catalog

Pierluigi Paganini July 23, 2025