CVE-2023-33778

Name: CVE-2023-33778
Creator: NVD / NIST
Published: 2023-06-01T04:15:10.313+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 9.8/10EPSS 0.60%

Last modified Jun 17, 2026

CVE-2023-33778 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. Draytek Vigor Routers firmware versions below 3.9.6/4.2.4, Access Points firmware versions below v1.4.0, Switches firmware versions below 2.6.7, and Myvigor firmware versions below 2.3.2 were discovered to use hardcoded encryption keys which allows attackers to bind any affected device to their own account. Attackers are then able to create WCF and DrayDDNS licenses and synchronize them from the website.. EPSS estimates a 0.60% chance of exploitation in the next 30 days.

Description

Draytek Vigor Routers firmware versions below 3.9.6/4.2.4, Access Points firmware versions below v1.4.0, Switches firmware versions below 2.6.7, and Myvigor firmware versions below 2.3.2 were discovered to use hardcoded encryption keys which allows attackers to bind any affected device to their own account. Attackers are then able to create WCF and DrayDDNS licenses and synchronize them from the website.

Metrics

CVSS 3.1

9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

0.60%

44.1th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Draytek	Myvigor	< 2.3.2
Draytek	Vigorswitch Pq2200xb Firmware	< 2.6.7
Draytek	Vigorswitch Pq2121x Firmware	< 2.6.7
Draytek	Vigorswitch P2540xs Firmware	< 2.6.7
Draytek	Vigorswitch P2280x Firmware	< 2.6.7
Draytek	Vigorswitch P2100 Firmware	< 2.6.7
Draytek	Vigorswitch Q2200x Firmware	< 2.6.7
Draytek	Vigorswitch Q2121x Firmware	< 2.6.7
Draytek	Vigorswitch G2540xs Firmware	< 2.6.7
Draytek	Vigorswitch G2280x Firmware	< 2.6.7
Draytek	Vigorswitch G2121 Firmware	< 2.6.7
Draytek	Vigorswitch G2100 Firmware	< 2.6.7
Draytek	Vigorswitch Fx2120 Firmware	< 2.6.7
Draytek	Vigorswitch P1282 Firmware	< 2.6.7
Draytek	Vigorswitch G1282 Firmware	< 2.6.7
Draytek	Vigorswitch G1085 Firmware	< 2.6.7
Draytek	Vigorswitch G1080 Firmware	< 2.6.7
Draytek	Vigorap 903 Firmware	< 1.4.0
Draytek	Vigorap 912c Firmware	< 1.4.0
Draytek	Vigorap 918r Firmware	< 1.4.0
Draytek	Vigorap 1060c Firmware	< 1.4.0
Draytek	Vigorap 906 Firmware	< 1.4.0
Draytek	Vigorap 960c Firmware	< 1.4.0
Draytek	Vigorap 1000c Firmware	< 1.4.0
Draytek	Vigor2766ac Firmware	< 3.9.6
Draytek	Vigor2766ac Firmware	>= 4.0.0, < 4.2.4
Draytek	Vigor2766ax Firmware	< 3.9.6
Draytek	Vigor2766ax Firmware	>= 4.0.0, < 4.2.4
Draytek	Vigor2766vac Firmware	< 3.9.6
Draytek	Vigor2766vac Firmware	>= 4.0.0, < 4.2.4
Draytek	Vigor2765ax Firmware	< 3.9.6
Draytek	Vigor2765ax Firmware	>= 4.0.0, < 4.2.4
Draytek	Vigor2765vac Firmware	< 3.9.6
Draytek	Vigor2765vac Firmware	>= 4.0.0, < 4.2.4
Draytek	Vigor2765ac Firmware	< 3.9.6
Draytek	Vigor2765ac Firmware	>= 4.0.0, < 4.2.4
Draytek	Vigor2763ac Firmware	< 3.9.6
Draytek	Vigor2763ac Firmware	>= 4.0.0, < 4.2.4
Draytek	Vigor2620l Firmware	< 3.9.6
Draytek	Vigor2620l Firmware	>= 4.0.0, < 4.2.4
Draytek	Vigor2620ln Firmware	< 3.9.6
Draytek	Vigor2620ln Firmware	>= 4.0.0, < 4.2.4
Draytek	Vigorlte 200n Firmware	< 3.9.6
Draytek	Vigorlte 200n Firmware	>= 4.0.0, < 4.2.4
Draytek	Vigor2915ac Firmware	< 3.9.6
Draytek	Vigor2915ac Firmware	>= 4.0.0, < 4.2.4
Draytek	Vigor2135ac Firmware	< 3.9.6
Draytek	Vigor2135ac Firmware	>= 4.0.0, < 4.2.4
Draytek	Vigor2135ax Firmware	< 3.9.6
Draytek	Vigor2135ax Firmware	>= 4.0.0, < 4.2.4

Showing 50 of 120 affected configurations. See NVD for the full list.

References

https://gist.github.com/Ji4n1ng/6d028709d39458f5ab95b3ea211225efExploit, Third Party Advisory
https://gist.github.com/Ji4n1ng/6d028709d39458f5ab95b3ea211225efExploit, Third Party Advisory

Timeline

Published: Jun 1, 2023
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2023-33778?

How severe is CVE-2023-33778?

CVE-2023-33778 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 0.60% probability of exploitation in the next 30 days.

How do I fix CVE-2023-33778?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-33778?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST