Yes support confirmed this.

The table might be wrong, ideally we need an official notice from Draytek on this.

Ofcourse I could be wrong here but my perception is that Draytek and/or their Support organisation have known about these vulnerabilities for a while if it was fixed in 4.4.5.2 (released in Aug 2024). Have they just sat on them without alerting the customer base?

Details of the bugs
https://www.forescout.com/resources/draybreak-draytek-research/

Basically sloppy coding which sadly isn't unique. Companies have to pay to get good coders and many don't want to fork out such outlay or pay appropriate amounts to good coders so that they stay.

As for alerts I don't know if they send them out to registered owners or not.

Just a heads up that some more critical firmware releases have dropped on the UK site which mention Web GUI Security

I also received formal notification from Draytek about all these CVEs. 3-4 months!!

The handling of this security issue by Draytek UK is truly shocking!