Do Son 
Over the past weekend (March 22–23), owners of DrayTek routers across the globe encountered a serious malfunction—devices began crashing en masse, entering endless reboot loops. The issue was first flagged by internet service providers in the United Kingdom when thousands of customers suddenly lost internet access.
The disruption occurred abruptly—on Saturday night, several DrayTek models entered a continuous cycle of restarts. Affected users found themselves unable to connect to the internet or access the device’s administration panel. Acknowledging the fault, the manufacturer advised disconnecting the router from the internet and attempting a firmware update.
DrayTek recommended using the TFTP method for updating if the standard web interface was inaccessible. Additionally, they strongly advised disabling remote administrative access unless absolutely necessary and temporarily suspending SSL VPN functionality. Notably, access control lists do not apply to SSL VPN, rendering it particularly vulnerable in the absence of timely updates.
Several ISPs have issued statements about the incident. UK-based provider Gamma confirmed some customers were affected, while distancing itself from responsibility. Zen Internet initially suspected internal infrastructure issues but later traced the disruption solely to DrayTek hardware. Similar confirmations came from ICUK and A&A, which reported widespread customer impact.
Speculation surrounding the cause of the incident centers on recently disclosed vulnerabilities in DrayTek firmware. Some of these flaws were deemed critical, capable of facilitating malicious code execution or rendering devices inoperative. According to A&A specialists, it is highly likely the disruption was a consequence of these vulnerabilities being exploited—especially on devices lacking recent updates.
DrayTek has previously grappled with similar issues. In October, the company patched a vulnerability rated 10 out of 10 on the CVSS scale in a legacy model, and in 2025 released a fresh list of critical fixes for flaws that could lead to system failures or malware infection. Some users report that even updated firmware fails to resolve the perpetual reboot issue, occasionally requiring a rollback to earlier versions.
Notably, a month prior to the October patch, the Five Eyes intelligence alliance warned that a Chinese hacker group was weaponizing compromised DrayTek devices to build a botnet estimated at up to 260,000 units. According to the FBI director, the perpetrators were identified and had begun dismantling parts of their infrastructure.
Reboot issues have now been reported not only in the UK, but also in Asia and Australia. Some users speculate that the event may be the result of both latent vulnerabilities and a coordinated exploitation campaign. So far, there is no universally effective recovery method—the solution depends heavily on the device model, firmware version, and how quickly users disconnected their routers from the public internet.
DrayTek has yet to provide comprehensive clarification, but users continue to share recovery strategies within the community. Most service providers agree on the urgent necessity of disabling remote access and applying critical patches without delay.
