CVE-2024-41334

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-41334
Draytek devices Vigor 165/166 prior to v4.2.6 , Vigor 2620/LTE200 prior to v3.9.8.8, Vigor 2860/2925 prior to v3.9.7, Vigor 2862/2926 prior to v3.9.9.4, Vigor 2133/2762/2832 prior to v3.9.8, Vigor 2135/2765/2766 prior to v4.4.5.1, Vigor 2865/2866/2927 prior to v4.4.5.3, Vigor 2962/3910 prior to v4.3.2.7, Vigor 3912 prior to v4.3.5.2, and Vigor 2925 up to v3.9.6 were discovered to not utilize certificate verification, allowing attackers to upload crafted APPE modules from non-official servers, leading to arbitrary code execution.

8.8 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
http://draytek.com
https://medium.com/faraday/advisory-multiple-vulnerabilities-affecting-draytek-routers-78a6cb8b3946
Configurations

No configuration.

History

06 May 2025, 18:15

Type Values Removed Values Added
CWE CWE-94 CWE-295
CVSS v2 : unknown
v3 : 9.8 		v2 : unknown
v3 : 8.8

28 Feb 2025, 16:15

Type Values Removed Values Added
CWE CWE-94
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 9.8
Summary
  • (es) Se descubrió que los dispositivos Draytek Vigor 165/166 anteriores a la v4.2.6, Vigor 2620/LTE200 anteriores a la v3.9.8.8, Vigor 2860/2925 anteriores a la v3.9.7, Vigor 2862/2926 anteriores a la v3.9.9.4, Vigor 2133/2762/2832 anteriores a la v3.9.8, Vigor 2135/2765/2766 anteriores a la v4.4.5.1, Vigor 2865/2866/2927 anteriores a la v4.4.5.3, Vigor 2962/3910 anteriores a la v4.3.2.7, Vigor 3912 anteriores a la v4.3.5.2 y Vigor 2925 hasta la v3.9.6 no utilizaban la verificación de certificados, lo que permitía a los atacantes cargar módulos APPE manipulados desde servidores no oficiales, lo que lleva a la ejecución de código arbitrario.

27 Feb 2025, 21:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-02-27 21:15

Updated : 2025-05-06 18:15

NVD link : CVE-2024-41334

Mitre link : CVE-2024-41334

CVE.ORG link : CVE-2024-41334

JSON object : View

Products Affected

No product.

CWE
CWE-295

Improper Certificate Validation