CVE-2024-41334
Published: 27 February 2025
Summary
CVE-2024-41334 is a high-severity Improper Certificate Validation (CWE-295) vulnerability in Draytek Vigor166 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SR-11 (Component Authenticity).
Deeper analysis
CVE-2024-41334 is an improper certificate validation vulnerability (CWE-295) affecting multiple Draytek Vigor router models, including Vigor 165/166 prior to v4.2.6, Vigor 2620/LTE200 prior to v3.9.8.8, Vigor 2860/2925 prior to v3.9.7, Vigor 2862/2926 prior to v3.9.9.4, Vigor 2133/2762/2832 prior to v3.9.8, Vigor 2135/2765/2766 prior to v4.4.5.1, Vigor 2865/2866/2927 prior to v4.4.5.3, Vigor 2962/3910 prior to v4.3.2.7, Vigor 3912 prior to v4.3.5.2, and Vigor 2925 up to v3.9.6. The flaw occurs because these devices do not perform certificate verification when uploading APPE (Application Program Extension Environment) modules, enabling the installation of modules from unauthorized sources.
Attackers can exploit this vulnerability over the network with low complexity and low privileges (PR:L), requiring no user interaction. Successful exploitation allows uploading crafted APPE modules from non-official servers, resulting in arbitrary code execution on the device. The CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects high impacts on confidentiality, integrity, and availability.
Mitigation involves updating affected devices to the vendor-recommended firmware versions listed above, as indicated in the vulnerability description. Additional details are available in advisories from Draytek at http://draytek.com and Faraday Labs at https://medium.com/faraday/advisory-multiple-vulnerabilities-affecting-draytek-routers-78a6cb8b3946.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5952
Vulnerability details
Draytek devices Vigor 165/166 prior to v4.2.6 , Vigor 2620/LTE200 prior to v3.9.8.8, Vigor 2860/2925 prior to v3.9.7, Vigor 2862/2926 prior to v3.9.9.4, Vigor 2133/2762/2832 prior to v3.9.8, Vigor 2135/2765/2766 prior to v4.4.5.1, Vigor 2865/2866/2927 prior to v4.4.5.3, Vigor 2962/3910…
more
prior to v4.3.2.7, Vigor 3912 prior to v4.3.5.2, and Vigor 2925 up to v3.9.6 were discovered to not utilize certificate verification, allowing attackers to upload crafted APPE modules from non-official servers, leading to arbitrary code execution.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Improper certificate validation on public-facing router upload interface directly enables remote upload of malicious modules for arbitrary code execution (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires digital signature verification of software and firmware components prior to installation, directly preventing upload of crafted APPE modules lacking valid certificates from unauthorized servers.
Mandates verification of component authenticity before installation or execution, blocking exploitation via unauthenticated APPE modules from non-official sources.
Employs integrity verification mechanisms for software and firmware to prevent and detect unauthorized modifications, such as those from improperly validated APPE modules.