CVE-2024-41334: Code Injection
First published: Thu Feb 27 2025(Updated: )
Draytek devices Vigor 165/166 prior to v4.2.6 , Vigor 2620/LTE200 prior to v3.9.8.8, Vigor 2860/2925 prior to v3.9.7, Vigor 2862/2926 prior to v3.9.9.4, Vigor 2133/2762/2832 prior to v3.9.8, Vigor 2135/2765/2766 prior to v4.4.5.1, Vigor 2865/2866/2927 prior to v4.4.5.3, Vigor 2962/3910 prior to v4.3.2.7, Vigor 3912 prior to v4.3.5.2, and Vigor 2925 up to v3.9.6 were discovered to not utilize certificate verification, allowing attackers to upload crafted APPE modules from non-official servers, leading to arbitrary code execution.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| DrayTek Vigor165/166 | <4.2.6 | |
| DrayTek Vigor165/166 | <4.2.6 | |
| DrayTek Vigor2620/LTE200 | <3.9.8.8 | |
| DrayTek Vigor2620/LTE200 | <3.9.8.8 | |
| DrayTek Vigor2860/2925 | <3.9.7 | |
| Draytek Vigor2925 Firmware | <3.9.7 | |
| DrayTek Vigor2862/2926 | <3.9.9.4 | |
| DrayTek Vigor2862/2926 | <3.9.9.4 | |
| DrayTek Vigor2133/2762/2832 | <3.9.8 | |
| Draytek Vigor 2762 | <3.9.8 | |
| Draytek Vigor 2832 | <3.9.8 | |
| Draytek Vigor 2135 | <4.4.5.1 | |
| DrayTek Vigor2135/2765/2766 | <4.4.5.1 | |
| DrayTek Vigor2135/2765/2766 | <4.4.5.1 | |
| Draytek Vigor 2865 | <4.4.5.3 | |
| Draytek Vigor 2866 | <4.4.5.3 | |
| Draytek Vigor 2927 | <4.4.5.3 | |
| DrayTek Vigor2962/3910 | <4.3.2.7 | |
| DrayTek Vigor2962/3910 | <4.3.2.7 | |
| Draytek Vigor 3912 | <4.3.5.2 | |
| Draytek Vigor2925 Firmware | <=3.9.6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-41334?
CVE-2024-41334 is classified with a medium severity score, indicating a moderate level of risk to affected Draytek devices.
How do I fix CVE-2024-41334?
To fix CVE-2024-41334, update the affected Draytek devices to the latest firmware version as specified in the advisory.
Which Draytek devices are affected by CVE-2024-41334?
CVE-2024-41334 affects multiple models including Draytek Vigor 165, 166, 2620, 2860, 2925, and others prior to their respective patched firmware versions.
What kinds of vulnerabilities are exposed in CVE-2024-41334?
CVE-2024-41334 may expose devices to unauthorized access and exploitation due to improper input validation and authentication mechanisms.
When should I address CVE-2024-41334?
You should address CVE-2024-41334 as soon as possible to mitigate potential security risks associated with the vulnerability.
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/author
- agent/source
- agent/type
- agent/first-publish-date
- agent/description
- collector/nvd-api
- source/NVD
- agent/last-modified-date
- agent/severity
- agent/weakness
- agent/event
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- vendor/draytek
- canonical/draytek vigor165/166
- canonical/draytek vigor2620/lte200
- canonical/draytek vigor2860/2925
- canonical/draytek vigor2925 firmware
- canonical/draytek vigor2862/2926
- canonical/draytek vigor2133/2762/2832
- canonical/draytek vigor 2762
- canonical/draytek vigor 2832
- canonical/draytek vigor 2135
- canonical/draytek vigor2135/2765/2766
- canonical/draytek vigor 2865
- canonical/draytek vigor 2866
- canonical/draytek vigor 2927
- canonical/draytek vigor2962/3910
- canonical/draytek vigor 3912