#VU106354 Unprotected storage of credentials in DrayTek Corp. products - CVE-2024-41336
Published: April 1, 2025
Vulnerability identifier: #VU106354
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-41336
CWE-ID: CWE-256
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
Vigor165
Vigor166
Vigor2620 LTE
VigorLTE 200n
Vigor2133
Vigor2135
Vigor2762
Vigor2765
Vigor2766
Vigor2832
Vigor2860
Vigor2860 LTE
Vigor2862
Vigor2862 LTE
Vigor2865
Vigor2865 LTE
Vigor2865L-5G
Vigor2866
Vigor2866 LTE
Vigor2915
Vigor2925
Vigor2925 LTE
Vigor2926
Vigor2926 LTE
Vigor2927
Vigor2927L-5G
Vigor2952
Vigor2952P
Vigor2927 LTE
Vigor2962
Vigor3220
Vigor3910
Vigor3912
Vigor165
Vigor166
Vigor2620 LTE
VigorLTE 200n
Vigor2133
Vigor2135
Vigor2762
Vigor2765
Vigor2766
Vigor2832
Vigor2860
Vigor2860 LTE
Vigor2862
Vigor2862 LTE
Vigor2865
Vigor2865 LTE
Vigor2865L-5G
Vigor2866
Vigor2866 LTE
Vigor2915
Vigor2925
Vigor2925 LTE
Vigor2926
Vigor2926 LTE
Vigor2927
Vigor2927L-5G
Vigor2952
Vigor2952P
Vigor2927 LTE
Vigor2962
Vigor3220
Vigor3910
Vigor3912
Software vendor:
DrayTek Corp.
DrayTek Corp.
Description
The vulnerability allows a local attacker to gain access to sensitive information.
The vulnerability exists due to application stored credentials in plain text. An attacker with physical access can dump credentials.
Remediation
Install update from vendor's website.