CVE-2024-41339 is a critical vulnerability affecting multiple models of Draytek Vigor network devices, including routers and VPN gateways. The flaw resides in the CGI endpoint responsible for uploading configuration files. Specifically, the vulnerability allows an attacker with at least limited privileges (PR:L) to upload a crafted kernel module through this endpoint. This crafted module can then be executed on the device, leading to arbitrary code execution at the kernel level. The affected devices include a wide range of Vigor models such as 165/166, 2620/LTE200, 2860/2925, 2862/2926, 2133/2762/2832, 2135/2765/2766, 2865/2866/2927, 2962/3910, 3912, and 2925, with specific firmware versions prior to various patch releases. The vulnerability is classified under CWE-434, which relates to improper handling of uploaded files, allowing malicious files to be accepted and executed. The CVSS v3.1 base score is 8.8, indicating a high severity, with attack vector being network-based (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), and impacting confidentiality, integrity, and availability to a high degree (C:H/I:H/A:H). No known exploits are currently reported in the wild, but the potential for exploitation is significant given the nature of the vulnerability and the widespread deployment of these devices in enterprise and small-to-medium business environments. The lack of patch links suggests that affected organizations must proactively seek firmware updates from Draytek or apply mitigations until patches are available.

For European organizations, this vulnerability poses a substantial risk to network infrastructure security. Draytek Vigor devices are commonly used in SMBs, branch offices, and some enterprise environments across Europe for VPN connectivity, firewalling, and routing. Successful exploitation could allow attackers to gain kernel-level control over these devices, enabling persistent backdoors, interception or manipulation of network traffic, and disruption of network availability. This could lead to data breaches, lateral movement within corporate networks, and potential compromise of sensitive information. Given the high confidentiality, integrity, and availability impacts, organizations relying on these devices for secure remote access or perimeter defense could face severe operational and reputational damage. The requirement for some privilege level means attackers might leverage compromised credentials or exploit other vulnerabilities to gain initial access before exploiting this flaw, increasing the attack surface. The absence of known exploits currently provides a window for mitigation, but the high severity score underscores the urgency of addressing this vulnerability.

European organizations should immediately inventory their network infrastructure to identify any Draytek Vigor devices matching the affected models and firmware versions. They should then prioritize upgrading these devices to the latest firmware versions provided by Draytek that address this vulnerability. In the absence of available patches, organizations should restrict access to the device management interfaces, especially the CGI upload endpoint, by implementing network segmentation and access control lists limiting management access to trusted administrators only. Employing multi-factor authentication for device management accounts can reduce the risk of privilege escalation. Monitoring network traffic for unusual uploads or kernel module activity can help detect attempted exploitation. Additionally, organizations should review and harden device configurations, disable unnecessary services, and ensure that default credentials are changed. Regularly updating firmware and maintaining an asset management process for network devices will help mitigate similar vulnerabilities in the future.