Hm, Why Are So Many DrayTek Routers Stuck In A Bootloop?

DrayTek router owners in the UK and beyond had a pretty miserable weekend after some ISPs began to notice a bunch of their customers' gateways going offline.

Pretty much overnight on Saturday, a good number of some types of DrayTek routers began rebooting over and over, rendering them inoperable. DrayTek says if that's happening to you, disconnect the router from the internet and try upgrading the firmware. And surely apropos of nothing, don't allow remote administrative access.

"The solution is to disconnect the WAN and then try to upgrade to the latest firmware ... Try the [Trivial File Transfer Protocol] TFTP firmware upgrade if the normal upgrade using the web UI does not work," the manufacturer stated Monday.

"If remote access is enabled, disable it unless absolutely necessary. Use an access control list (ACL) and enable 2FA if possible. For unpatched routers, disable both remote access (admin) and SSL VPN. Note: ACL doesn’t apply to SSL VPN (Port 443), so temporarily disable SSL VPN until upgraded."

The issues, highlighted by ISP Review, showed up on the radar of various telcos. Gamma, which services folks in the UK and Europe, acknowledged that some punters were struggling with their equipment, said the SNAFU wasn't caused by its network, and didn't name DrayTek.

Zen, meanwhile, went from fearing a hardware fault within its own network was causing subscribers to drop offline, to confirming it was a problem with DrayTek gear, and shared pretty much the same recovery instructions the router maker offered.

ICUK also pointed the finger at DrayTek, and said the kerfuffle was causing a headache for some broadband customers of BT Wholesale and TalkTalk Wholesale, the latter now known as PXC. A&A, too, fingered DrayTek, speculated it may all have something to do with recently disclosed buffer-overflow vulnerabilities in the firmware, and offered alternative hardware to customers if they couldn't get their loopy kit working again.

Last October, DrayTek released various security patches for its hardware, including fixing one 10-out-of-10 CVSS severity issue in an end-of-life device.

This month DrayTek highlighted what looks like another bunch of bugs it patched in 2024 that, if exploited, could lead to crashes or the execution of malware.

Essentially, it's possible someone started trying to, or successfully exploited, these flaws in un-patched DrayTek devices to cause them to crash over and over, at least. Possibly.

• 700K+ DrayTek routers are sitting ducks on the internet, open to remote hijacking
• FBI boss says China 'burned down' 260,000-device botnet when confronted by Feds
• China's Salt Typhoon cyber spies are deep inside US ISPs
• Despite Russia warnings, Western critical infrastructure remains unprepared

A month before the aforementioned October patches were released, the Five Eyes nations warned [PDF] a Chinese operation was running a network of remote-controlled malware-infected devices, including DrayTek gear. According to then-FBI director Chris Wray, the miscreants realized they had been spotted and shuttered at least part of the 260,000-device botnet.

There are some reports that shifting to the latest firmware won't solve the issue, and folks have had to revert to an earlier build. Problems have also been reported in Australia and across Asia. Please let us know in the forums if you've had this boot loop pain, naming the model number, firmware versions, and general geographical location, if possible.

We've asked DrayTek for clarification and will update this story if we receive more info from the vendor or other sources. ®

Editor's note: We tweaked this story to clarify that when ICUK mentioned TalkTalk, it was referring to the wholesale business of TalkTalk, which is now known as PlatformX Communications, aka PXC.