A series of critical vulnerabilities in DrayTek Vigor routers widely deployed in small office/home office (SOHO) environments have been uncovered, exposing devices to remote code execution (RCE), denial-of-service (DoS) attacks, and credential theft.
The flaws discovered during firmware reverse-engineering efforts highlight systemic security weaknesses in routers that act as gateways between local networks and the internet.
Researchers identified eight CVEs, including weaknesses in authentication mechanisms, kernel module updates, and protocol implementations, which could allow attackers to bypass security controls, execute arbitrary code, or crash devices.
Authentication and Encryption Failures
Faraday Team reports two vulnerabilities, CVE-2024-41335 and CVE-2024-41336, undermine authentication safeguards.
The first leverages non-constant time comparisons in password-checking functions like strcmp and memcmp, enabling timing attacks to extract credentials.
The second stores passwords in plaintext, allowing attackers with physical or memory access to retrieve credentials directly.
Additionally, an unassigned CVE reveals predictable two-factor authentication (2FA) code generation tied to router uptime.
By combining this flaw with a DoS exploit like CVE-2024-41338, attackers could force a reboot, predict the new 2FA code, and bypass login protections.
Kernel Module Exploitation and Code Execution
The most severe vulnerabilities enable RCE through kernel module manipulation. CVE-2024-41339 exploits an undocumented CGI configuration endpoint that accepts kernel module uploads disguised as configuration files.
Attackers could use this to install malicious modules, gaining root access. Similarly, CVE-2024-41340 and CVE-2024-41334 target DrayTek’s APP Enforcement (APPE) signature system.
The former allows arbitrary signature uploads, while the latter disables SSL certificate validation during updates, permitting man-in-the-middle attacks to push malicious modules.
These flaws collectively enable unauthenticated attackers to hijack firmware update mechanisms and deploy persistent payloads.
Memory Corruption Vulnerabilities
Two memory corruption flaws—CVE-2024-51138 and CVE-2024-51139—pose critical risks.
The first is a stack-based buffer overflow in the TR069 STUN server’s URL parser, triggered by unauthenticated requests.
When TR069 and STUN are enabled (common in NAT environments), this allows full system compromise.
The second, an integer overflow in the CGI parser’s handling of HTTP POST requests, misallocates memory based on a manipulated Content-Length header, leading to heap overflows and RCE.
Both vulnerabilities require no authentication and are exploitable remotely.
The vulnerabilities impact multiple DrayTek router models, with severity varying by firmware version:
CVE-2024-41334 to CVE-2024-41338: Vigor165/166 (before 4.2.6), Vigor2620/LTE200 (before 3.9.8.8), Vigor2860/2925 (before 3.9.7), and Vigor2133/2762/2832 (before 3.9.8).
CVE-2024-41339 and CVE-2024-41340: Vigor2862/2926 (before 3.9.9.5), Vigor2135/2765/2766 (before 4.4.5.1), and Vigor2962/3910 (before 4.3.2.8).
CVE-2024-51138 and CVE-2024-51139: Vigor2620/LTE200 (before 3.9.9.1), Vigor2865/2866/2927 (before 4.4.5.8), and Vigor3912 (before 4.4.3.2).
Mitigation and Recommendations
DrayTek has not yet released patches for all vulnerabilities, leaving administrators to implement workarounds. Critical steps include:
- Disabling TR069 and STUN services where unnecessary to mitigate CVE-2024-51138.
- Upgrading firmware to the latest versions for affected models (e.g., Vigor2860/2925 to 3.9.8 or higher).
- Enforcing network segmentation to isolate routers from sensitive internal systems.
- Monitoring for anomalous activity, such as unexpected configuration changes or module installations.
Researchers will disclose technical details for CVE-2024-51138 and CVE-2024-51139 at DEFCON 32 HHV and Ekoparty 2024, underscoring the urgency of preemptive mitigation.
Enterprises reliant on DrayTek devices should engage red-teaming services to assess exposure and deploy continuous vulnerability scanning.
The discovery of these flaws underscores the risks posed by proprietary firmware and lax update practices in critical network infrastructure.
As attackers increasingly target edge devices, vendors must prioritize transparent security practices, and users must demand them.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free
