#VU97976 Buffer overflow in DrayTek Corp. products - CVE-2024-41588
Published: October 3, 2024
Vulnerability identifier: #VU97976
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-41588
CWE-ID: CWE-119
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Vigor 1000B
Vigor 2962
Vigor 3910
Vigor 3912
Vigor 165
Vigor 166
Vigor 2135
Vigor 2763
Vigor 2765
Vigor 2766
Vigor 2865
Vigor 2866
Vigor 2915
Vigor 2620
Vigor LTE200
Vigor 2133
Vigor 2762
Vigor 2860
Vigor 2925
Vigor 2862
Vigor 2926
Vigor 2952
Vigor 3220
Vigor 2832
Vigor 1000B
Vigor 2962
Vigor 3910
Vigor 3912
Vigor 165
Vigor 166
Vigor 2135
Vigor 2763
Vigor 2765
Vigor 2766
Vigor 2865
Vigor 2866
Vigor 2915
Vigor 2620
Vigor LTE200
Vigor 2133
Vigor 2762
Vigor 2860
Vigor 2925
Vigor 2862
Vigor 2926
Vigor 2952
Vigor 3220
Vigor 2832
Software vendor:
DrayTek Corp.
DrayTek Corp.
Description
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the WebUI when handling data passed to the "/cgi-bin/v2x00.cgi" and "/cgi-bin/cgiwcg.cgi" scripts. A remote privileged user can send a specially crafted HTTP request to the web interface, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Remediation
Install updates from vendor's website.