Hi Jon - thank you for raising this question its an important one to get a clear answer on.
Yes they are. The only limitation on this is when a security fix requires a fundamental OS level change (like an upgrade to the latest Linux Kernel) where the older hardware platforms are not capable of supporting the change.
In the case of this specific vulnerability, identified Peplink models that can only be upgraded to 8.3 series are running older kernels.
These models do not have enough resources to upgrade the kernel to the same level as later devices that have been patched. For other vulnerabilities which do not require kernel upgrade, we will expect to have new 8.3.x firmware with security updates.
It did take a moment or two for us to see the fix for this made available you’re right. It is now included in 8.4 / 3.9.3 firmware for MAX/Balance/APs. as you noted.
On high risk security issues Peplink has a history of being very fast to release patches / fixes.
In this instance the response took longer but to be fair there were more moving parts here than usual since a key change needed was the Kernel upgrade.
Peplink needed to wait for multiple SoC OEMs to release their patches before they could then patch the individual Peplink device firmwares
Although the time taken wasn’t ideal, considering most vendors assessed the vulnerability as low risk I do think it was acceptable. Especially with the delays involved in sourcing kernel patches from chip the underlying makers.
What is less acceptable is the lack of communication throughout and I have raised that with the engineering team as an area that requires improvement.