Multiple vulnerabilities in Draytek routers
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2024-51138 CVE-2024-51139 |
| CWE-ID | CWE-121 CWE-190 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Vigor2620 LTE Hardware solutions / Routers & switches, VoIP, GSM, etc VigorLTE 200n Hardware solutions / Routers & switches, VoIP, GSM, etc Vigor2133 Hardware solutions / Routers & switches, VoIP, GSM, etc Vigor2135 Hardware solutions / Routers & switches, VoIP, GSM, etc Vigor2762 Hardware solutions / Routers & switches, VoIP, GSM, etc Vigor2765 Hardware solutions / Routers & switches, VoIP, GSM, etc Vigor2766 Hardware solutions / Routers & switches, VoIP, GSM, etc Vigor2832 Hardware solutions / Routers & switches, VoIP, GSM, etc Vigor2860 Hardware solutions / Routers & switches, VoIP, GSM, etc Vigor2860 LTE Hardware solutions / Routers & switches, VoIP, GSM, etc Vigor2862 Hardware solutions / Routers & switches, VoIP, GSM, etc Vigor2862 LTE Hardware solutions / Routers & switches, VoIP, GSM, etc Vigor2865 Hardware solutions / Routers & switches, VoIP, GSM, etc Vigor2865 LTE Hardware solutions / Routers & switches, VoIP, GSM, etc Vigor2865L-5G Hardware solutions / Routers & switches, VoIP, GSM, etc Vigor2866 Hardware solutions / Routers & switches, VoIP, GSM, etc Vigor2866 LTE Hardware solutions / Routers & switches, VoIP, GSM, etc Vigor2915 Hardware solutions / Routers & switches, VoIP, GSM, etc Vigor2925 Hardware solutions / Routers & switches, VoIP, GSM, etc Vigor2925 LTE Hardware solutions / Routers & switches, VoIP, GSM, etc Vigor2926 Hardware solutions / Routers & switches, VoIP, GSM, etc Vigor2926 LTE Hardware solutions / Routers & switches, VoIP, GSM, etc Vigor2927 Hardware solutions / Routers & switches, VoIP, GSM, etc Vigor2927 LTE Hardware solutions / Routers & switches, VoIP, GSM, etc Vigor2927L-5G Hardware solutions / Routers & switches, VoIP, GSM, etc Vigor2952 Hardware solutions / Routers & switches, VoIP, GSM, etc Vigor2952P Hardware solutions / Routers & switches, VoIP, GSM, etc Vigor2962 Hardware solutions / Routers & switches, VoIP, GSM, etc Vigor3220 Hardware solutions / Routers & switches, VoIP, GSM, etc Vigor3910 Hardware solutions / Routers & switches, VoIP, GSM, etc Vigor3912 Hardware solutions / Routers & switches, VoIP, GSM, etc |
| Vendor | DrayTek Corp. |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Stack-based buffer overflow
EUVDB-ID: #VU106349
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2024-51138
CWE-ID:
CWE-121 - Stack-based buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the URL parsing functionality of the TR069 STUN server. A remote unauthenticated attacker can send a specially crafted request, trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsVigor2620 LTE: All versions
VigorLTE 200n: All versions
Vigor2133: All versions
Vigor2135: All versions
Vigor2762: All versions
Vigor2765: All versions
Vigor2766: All versions
Vigor2832: All versions
Vigor2860: All versions
Vigor2860 LTE: All versions
Vigor2862: All versions
Vigor2862 LTE: All versions
Vigor2865: All versions
Vigor2865 LTE: All versions
Vigor2865L-5G: All versions
Vigor2866: All versions
Vigor2866 LTE: All versions
Vigor2915: All versions
Vigor2925: All versions
Vigor2925 LTE: All versions
Vigor2926: All versions
Vigor2926 LTE: All versions
Vigor2927: All versions
Vigor2927 LTE: All versions
Vigor2927L-5G: All versions
Vigor2952: All versions
Vigor2952P: All versions
Vigor2962: All versions
Vigor3220: All versions
Vigor3910: All versions
Vigor3912: All versions
CPE2.3- cpe:2.3:h:draytek_corp:vigor2620_lte:*:*:*:*:*:*:*:*
- cpe:2.3:h:draytek_corp:vigorlte_200n:*:*:*:*:*:*:*:*
- cpe:2.3:h:draytek_corp:vigor2133:*:*:*:*:*:*:*:*
- cpe:2.3:h:draytek_corp:vigor2135:*:*:*:*:*:*:*:*
- cpe:2.3:h:draytek_corp:vigor2762:*:*:*:*:*:*:*:*
- cpe:2.3:h:draytek_corp:vigor2765:*:*:*:*:*:*:*:*
- cpe:2.3:h:draytek_corp:vigor2766:*:*:*:*:*:*:*:*
- cpe:2.3:h:draytek_corp:vigor2832:*:*:*:*:*:*:*:*
- cpe:2.3:h:draytek_corp:vigor2860:*:*:*:*:*:*:*:*
- cpe:2.3:h:draytek_corp:vigor2860_lte:*:*:*:*:*:*:*:*
- cpe:2.3:h:draytek_corp:vigor2862:*:*:*:*:*:*:*:*
- cpe:2.3:h:draytek_corp:vigor2862_lte:*:*:*:*:*:*:*:*
- cpe:2.3:h:draytek_corp:vigor2865:*:*:*:*:*:*:*:*
- cpe:2.3:h:draytek_corp:vigor2865_lte:*:*:*:*:*:*:*:*
- cpe:2.3:h:draytek_corp:vigor2865l-5g:*:*:*:*:*:*:*:*
- cpe:2.3:h:draytek_corp:vigor2866:*:*:*:*:*:*:*:*
- cpe:2.3:h:draytek_corp:vigor2866_lte:*:*:*:*:*:*:*:*
- cpe:2.3:h:draytek_corp:vigor2915:*:*:*:*:*:*:*:*
- cpe:2.3:h:draytek_corp:vigor2925:*:*:*:*:*:*:*:*
- cpe:2.3:h:draytek_corp:vigor2925_lte:*:*:*:*:*:*:*:*
- cpe:2.3:h:draytek_corp:vigor2926:*:*:*:*:*:*:*:*
- cpe:2.3:h:draytek_corp:vigor2926_lte:*:*:*:*:*:*:*:*
- cpe:2.3:h:draytek_corp:vigor2927:*:*:*:*:*:*:*:*
- cpe:2.3:h:draytek_corp:vigor2927_lte:*:*:*:*:*:*:*:*
- cpe:2.3:h:draytek_corp:vigor2927l-5g:*:*:*:*:*:*:*:*
- cpe:2.3:h:draytek_corp:vigor2952:*:*:*:*:*:*:*:*
- cpe:2.3:h:draytek_corp:vigor2952p:*:*:*:*:*:*:*:*
- cpe:2.3:h:draytek_corp:vigor2962:*:*:*:*:*:*:*:*
- cpe:2.3:h:draytek_corp:vigor3220:*:*:*:*:*:*:*:*
- cpe:2.3:h:draytek_corp:vigor3910:*:*:*:*:*:*:*:*
- cpe:2.3:h:draytek_corp:vigor3912:*:*:*:*:*:*:*:*
https://draytek.com
https://medium.com/faraday/advisory-multiple-vulnerabilities-affecting-draytek-routers-78a6cb8b3946
https://www.draytek.com/about/security-advisory/buffer-overflow-vulnerabilities-(cve-2024-51138-cve-2024-51139)
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Integer overflow
EUVDB-ID: #VU106350
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2024-51139
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow in the CGI parser’s handling of HTTP POST requests’ "Content-Length" header. A remote attacker can pass specially crafted data to the application, trigger integer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsVigor2620 LTE: All versions
VigorLTE 200n: All versions
Vigor2133: All versions
Vigor2135: All versions
Vigor2762: All versions
Vigor2765: All versions
Vigor2766: All versions
Vigor2832: All versions
Vigor2860: All versions
Vigor2860 LTE: All versions
Vigor2862: All versions
Vigor2862 LTE: All versions
Vigor2865: All versions
Vigor2865 LTE: All versions
Vigor2865L-5G: All versions
Vigor2866: All versions
Vigor2866 LTE: All versions
Vigor2915: All versions
Vigor2925: All versions
Vigor2925 LTE: All versions
Vigor2926: All versions
Vigor2926 LTE: All versions
Vigor2927: All versions
Vigor2927 LTE: All versions
Vigor2927L-5G: All versions
Vigor2952: All versions
Vigor2952P: All versions
Vigor2962: All versions
Vigor3220: All versions
Vigor3910: All versions
Vigor3912: All versions
CPE2.3- cpe:2.3:h:draytek_corp:vigor2620_lte:*:*:*:*:*:*:*:*
- cpe:2.3:h:draytek_corp:vigorlte_200n:*:*:*:*:*:*:*:*
- cpe:2.3:h:draytek_corp:vigor2133:*:*:*:*:*:*:*:*
- cpe:2.3:h:draytek_corp:vigor2135:*:*:*:*:*:*:*:*
- cpe:2.3:h:draytek_corp:vigor2762:*:*:*:*:*:*:*:*
- cpe:2.3:h:draytek_corp:vigor2765:*:*:*:*:*:*:*:*
- cpe:2.3:h:draytek_corp:vigor2766:*:*:*:*:*:*:*:*
- cpe:2.3:h:draytek_corp:vigor2832:*:*:*:*:*:*:*:*
- cpe:2.3:h:draytek_corp:vigor2860:*:*:*:*:*:*:*:*
- cpe:2.3:h:draytek_corp:vigor2860_lte:*:*:*:*:*:*:*:*
- cpe:2.3:h:draytek_corp:vigor2862:*:*:*:*:*:*:*:*
- cpe:2.3:h:draytek_corp:vigor2862_lte:*:*:*:*:*:*:*:*
- cpe:2.3:h:draytek_corp:vigor2865:*:*:*:*:*:*:*:*
- cpe:2.3:h:draytek_corp:vigor2865_lte:*:*:*:*:*:*:*:*
- cpe:2.3:h:draytek_corp:vigor2865l-5g:*:*:*:*:*:*:*:*
- cpe:2.3:h:draytek_corp:vigor2866:*:*:*:*:*:*:*:*
- cpe:2.3:h:draytek_corp:vigor2866_lte:*:*:*:*:*:*:*:*
- cpe:2.3:h:draytek_corp:vigor2915:*:*:*:*:*:*:*:*
- cpe:2.3:h:draytek_corp:vigor2925:*:*:*:*:*:*:*:*
- cpe:2.3:h:draytek_corp:vigor2925_lte:*:*:*:*:*:*:*:*
- cpe:2.3:h:draytek_corp:vigor2926:*:*:*:*:*:*:*:*
- cpe:2.3:h:draytek_corp:vigor2926_lte:*:*:*:*:*:*:*:*
- cpe:2.3:h:draytek_corp:vigor2927:*:*:*:*:*:*:*:*
- cpe:2.3:h:draytek_corp:vigor2927_lte:*:*:*:*:*:*:*:*
- cpe:2.3:h:draytek_corp:vigor2927l-5g:*:*:*:*:*:*:*:*
- cpe:2.3:h:draytek_corp:vigor2952:*:*:*:*:*:*:*:*
- cpe:2.3:h:draytek_corp:vigor2952p:*:*:*:*:*:*:*:*
- cpe:2.3:h:draytek_corp:vigor2962:*:*:*:*:*:*:*:*
- cpe:2.3:h:draytek_corp:vigor3220:*:*:*:*:*:*:*:*
- cpe:2.3:h:draytek_corp:vigor3910:*:*:*:*:*:*:*:*
- cpe:2.3:h:draytek_corp:vigor3912:*:*:*:*:*:*:*:*
https://draytek.com
https://medium.com/faraday/advisory-multiple-vulnerabilities-affecting-draytek-routers-78a6cb8b3946
https://www.draytek.com/about/security-advisory/buffer-overflow-vulnerabilities-(cve-2024-51138-cve-...
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
