CVE-2024-41334
Published: 27 February 2025
Summary
CVE-2024-41334 is a high-severity Improper Certificate Validation (CWE-295) vulnerability in Draytek Vigor166 Firmware. Its CVSS base score is 8.8 (High).
Operationally, ranked at the 33.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SR-11 (Component Authenticity).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires digital signature verification of software and firmware components prior to installation, directly preventing upload of crafted APPE modules lacking valid certificates from unauthorized servers.
Mandates verification of component authenticity before installation or execution, blocking exploitation via unauthenticated APPE modules from non-official sources.
Employs integrity verification mechanisms for software and firmware to prevent and detect unauthorized modifications, such as those from improperly validated APPE modules.
NVD Description
Draytek devices Vigor 165/166 prior to v4.2.6 , Vigor 2620/LTE200 prior to v3.9.8.8, Vigor 2860/2925 prior to v3.9.7, Vigor 2862/2926 prior to v3.9.9.4, Vigor 2133/2762/2832 prior to v3.9.8, Vigor 2135/2765/2766 prior to v4.4.5.1, Vigor 2865/2866/2927 prior to v4.4.5.3, Vigor 2962/3910…
more
prior to v4.3.2.7, Vigor 3912 prior to v4.3.5.2, and Vigor 2925 up to v3.9.6 were discovered to not utilize certificate verification, allowing attackers to upload crafted APPE modules from non-official servers, leading to arbitrary code execution.
Deeper analysisAI
CVE-2024-41334 is an improper certificate validation vulnerability (CWE-295) affecting multiple Draytek Vigor router models, including Vigor 165/166 prior to v4.2.6, Vigor 2620/LTE200 prior to v3.9.8.8, Vigor 2860/2925 prior to v3.9.7, Vigor 2862/2926 prior to v3.9.9.4, Vigor 2133/2762/2832 prior to v3.9.8, Vigor 2135/2765/2766 prior to v4.4.5.1, Vigor 2865/2866/2927 prior to v4.4.5.3, Vigor 2962/3910 prior to v4.3.2.7, Vigor 3912 prior to v4.3.5.2, and Vigor 2925 up to v3.9.6. The flaw occurs because these devices do not perform certificate verification when uploading APPE (Application Program Extension Environment) modules, enabling the installation of modules from unauthorized sources.
Attackers can exploit this vulnerability over the network with low complexity and low privileges (PR:L), requiring no user interaction. Successful exploitation allows uploading crafted APPE modules from non-official servers, resulting in arbitrary code execution on the device. The CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects high impacts on confidentiality, integrity, and availability.
Mitigation involves updating affected devices to the vendor-recommended firmware versions listed above, as indicated in the vulnerability description. Additional details are available in advisories from Draytek at http://draytek.com and Faraday Labs at https://medium.com/faraday/advisory-multiple-vulnerabilities-affecting-draytek-routers-78a6cb8b3946.
Details
- CWE(s)