Home > About > Security Advisory >

Improve WebUI security for Vigor3910 and Vigor2962 Series

Released Date: 2021-07-08

The firmware (version 3.9.6.3) has corrected a WebGUI security issue that could allow router admin and VPN credentials to be discovered if remote management was enabled without an ACL. We strongly recommend you follow the steps below to review the security settings in your Vigor router.

Necessary Action:
We recommend users of affected models should upgrade firmware to version 3.9.6.3 or later and change the passwords for admin login and password/PSKs for VPN profiles after upgrading the firmware.
Model Fixed Firmware Version Download Link
Vigor2962 3.9.6.3
Vigor3910 3.9.6.3

  1. Use a strong password for admin login and all VPN profiles. Change the passwords periodically.
  2. Disable any unnecessary services and VPN profiles, like OpenVPN, PPTP VPN, or remote management (Web, SNMP, telnet, SSH, FTP) from WAN. If any service is enabled, please enable ACL, 2FA, or specify the VPN peer IP to restrict the access.
  3. Enable Brute Force Protection in Management setup page.
  4. Record Syslog and set up VPN/login Mail Alerts and review the logs periodically. While seeing the abnormal attack events, we can enable DoS Defense and block those IPs by using the Blacklist.
Contact Technical Support

Should you have any security-related inquiry regarding one of our products, please contact DrayTek Technical Support.