Credentials management in DrayTek Corp. products - CVE-2024-41589
Published: October 3, 2024
Vulnerability identifier: #VU97985
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2024-41589
CWE-ID: CWE-255
Exploitation vector: Adjecent network
Exploit availability:
No public exploit available
Vendor: DrayTek Corp.
Affected software:
Vigor 1000B
Vigor 2962
Vigor 3910
Vigor 3912
Vigor 165
Vigor 166
Vigor 2135
Vigor 2763
Vigor 2765
Vigor 2766
Vigor 2865
Vigor 2866
Vigor 2915
Vigor 2620
Vigor LTE200
Vigor 2133
Vigor 2762
Vigor 2860
Vigor 2925
Vigor 2862
Vigor 2926
Vigor 2952
Vigor 3220
Vigor 2832
Vigor 1000B
Vigor 2962
Vigor 3910
Vigor 3912
Vigor 165
Vigor 166
Vigor 2135
Vigor 2763
Vigor 2765
Vigor 2766
Vigor 2865
Vigor 2866
Vigor 2915
Vigor 2620
Vigor LTE200
Vigor 2133
Vigor 2762
Vigor 2860
Vigor 2925
Vigor 2862
Vigor 2926
Vigor 2952
Vigor 3220
Vigor 2832
Detailed vulnerability description
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to the same admin credentials are used across the entire system (including both guest and host operating systems). Obtaining these credentials can lead to full system compromise.
How to mitigate CVE-2024-41589
Install updates from vendor's website.