Skip to main content

CVE-2024-41339: n/a in n/a

High
VulnerabilityCVE-2024-41339cvecve-2024-41339
Published: Thu Feb 27 2025 (02/27/2025, 00:00:00 UTC)
Source: CVE
Vendor/Project: n/a
Product: n/a

Description

An issue in the CGI endpoint used to upload configurations in Draytek devices Vigor 165/166 prior to v4.2.6 , Vigor 2620/LTE200 prior to v3.9.8.8, Vigor 2860/2925 prior to v3.9.7, Vigor 2862/2926 prior to v3.9.9.4, Vigor 2133/2762/2832 prior to v3.9.8, Vigor 2135/2765/2766 prior to v4.4.5.1, Vigor 2865/2866/2927 prior to v4.4.5.3, Vigor 2962/3910 prior to v4.3.2.7, Vigor 3912 prior to v4.3.5.2, and Vigor 2925 up to v3.9.6 allows attackers to upload a crafted kernel module, allowing for arbitrary code execution.

AI-Powered Analysis

AILast updated: 07/03/2025, 08:11:17 UTC

Technical Analysis

CVE-2024-41339 is a critical vulnerability affecting multiple models of Draytek Vigor network devices, including routers and VPN gateways. The flaw resides in the CGI endpoint responsible for uploading configuration files. Specifically, the vulnerability allows an attacker with at least limited privileges (PR:L) to upload a crafted kernel module through this endpoint. This crafted module can then be executed on the device, leading to arbitrary code execution at the kernel level. The affected devices include a wide range of Vigor models such as 165/166, 2620/LTE200, 2860/2925, 2862/2926, 2133/2762/2832, 2135/2765/2766, 2865/2866/2927, 2962/3910, 3912, and 2925, with specific firmware versions prior to various patch releases. The vulnerability is classified under CWE-434, which relates to improper handling of uploaded files, allowing malicious files to be accepted and executed. The CVSS v3.1 base score is 8.8, indicating a high severity, with attack vector being network-based (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), and impacting confidentiality, integrity, and availability to a high degree (C:H/I:H/A:H). No known exploits are currently reported in the wild, but the potential for exploitation is significant given the nature of the vulnerability and the widespread deployment of these devices in enterprise and small-to-medium business environments. The lack of patch links suggests that affected organizations must proactively seek firmware updates from Draytek or apply mitigations until patches are available.

Potential Impact

For European organizations, this vulnerability poses a substantial risk to network infrastructure security. Draytek Vigor devices are commonly used in SMBs, branch offices, and some enterprise environments across Europe for VPN connectivity, firewalling, and routing. Successful exploitation could allow attackers to gain kernel-level control over these devices, enabling persistent backdoors, interception or manipulation of network traffic, and disruption of network availability. This could lead to data breaches, lateral movement within corporate networks, and potential compromise of sensitive information. Given the high confidentiality, integrity, and availability impacts, organizations relying on these devices for secure remote access or perimeter defense could face severe operational and reputational damage. The requirement for some privilege level means attackers might leverage compromised credentials or exploit other vulnerabilities to gain initial access before exploiting this flaw, increasing the attack surface. The absence of known exploits currently provides a window for mitigation, but the high severity score underscores the urgency of addressing this vulnerability.

Mitigation Recommendations

European organizations should immediately inventory their network infrastructure to identify any Draytek Vigor devices matching the affected models and firmware versions. They should then prioritize upgrading these devices to the latest firmware versions provided by Draytek that address this vulnerability. In the absence of available patches, organizations should restrict access to the device management interfaces, especially the CGI upload endpoint, by implementing network segmentation and access control lists limiting management access to trusted administrators only. Employing multi-factor authentication for device management accounts can reduce the risk of privilege escalation. Monitoring network traffic for unusual uploads or kernel module activity can help detect attempted exploitation. Additionally, organizations should review and harden device configurations, disable unnecessary services, and ensure that default credentials are changed. Regularly updating firmware and maintaining an asset management process for network devices will help mitigate similar vulnerabilities in the future.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
mitre
Date Reserved
2024-07-18T00:00:00.000Z
Cisa Enriched
true
Cvss Version
3.1
State
PUBLISHED

Threat ID: 682d981cc4522896dcbda2d2

Added to database: 5/21/2025, 9:08:44 AM

Last enriched: 7/3/2025, 8:11:17 AM

Last updated: 8/1/2025, 4:10:53 AM

Views: 11

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats