Cyber Resilience

CVE-2024-41335

High

Published: 27 February 2025

Published
27 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0025 49.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-41335 is a high-severity Observable Discrepancy (CWE-203) vulnerability in Draytek (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 49.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-5 (Security Alerts, Advisories, and Directives).

Deeper analysis

CVE-2024-41335 is a vulnerability in multiple Draytek Vigor router models, including Vigor 165/166 prior to v4.2.6, Vigor 2620/LTE200 prior to v3.9.8.8, Vigor 2860/2925 prior to v3.9.7, Vigor 2862/2926 prior to v3.9.9.4, Vigor 2133/2762/2832 prior to v3.9.8, Vigor 2135/2765/2766 prior to v4.4.5.1, Vigor 2865/2866/2927 prior to v4.4.5.3, Vigor 2962/3910 prior to v4.3.2.7, Vigor 3912 prior to v4.3.5.2, and Vigor 2925 up to v3.9.6. The issue arises from the use of insecure versions of the strcmp and memcmp functions, enabling potential disclosure of sensitive information through timing attacks (CWE-203). It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

The vulnerability can be exploited by any unauthenticated attacker with network access to the affected device. Exploitation requires low complexity and no user interaction, allowing remote attackers to perform timing analysis on strcmp and memcmp operations to infer sensitive data, such as credentials or other confidential information stored or processed by the router.

Vendor advisories, including those on the Draytek website (http://draytek.com) and a Faraday Labs report (https://medium.com/faraday/advisory-multiple-vulnerabilities-affecting-draytek-routers-78a6cb8b3946), indicate that mitigation involves updating to the fixed firmware versions specified for each model.

EU & UK References

Vulnerability details

Draytek devices Vigor 165/166 prior to v4.2.6 , Vigor 2620/LTE200 prior to v3.9.8.8, Vigor 2860/2925 prior to v3.9.7, Vigor 2862/2926 prior to v3.9.9.4, Vigor 2133/2762/2832 prior to v3.9.8, Vigor 2135/2765/2766 prior to v4.4.5.1, Vigor 2865/2866/2927 prior to v4.4.5.3, Vigor 2962/3910…

more

prior to v4.3.2.7, Vigor 3912 prior to v4.3.5.2, and Vigor 2925 up to v3.9.6 were discovered to utilize insecure versions of the functions strcmp and memcmp, allowing attackers to possibly obtain sensitive information via timing attacks.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct remote exploitation of public-facing router firmware via timing side-channel on insecure string/memory comparison functions, enabling credential/sensitive data disclosure.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-21510Shared CWE-203
CVE-2026-26315Shared CWE-203
CVE-2025-1468Shared CWE-203
CVE-2019-25337Shared CWE-203
CVE-2024-54767Shared CWE-203
CVE-2017-5753Shared CWE-203
CVE-2024-13939Shared CWE-203
CVE-2025-27667Shared CWE-203
CVE-2026-41588Shared CWE-203
CVE-2024-43095Shared CWE-203

Affected Assets

Draytek
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates timely identification, reporting, and correction of software flaws like the insecure strcmp and memcmp functions enabling timing attacks in affected Draytek firmware.

prevent

Requires receiving, disseminating, and implementing security advisories and directives from vendors like Draytek specifying fixed firmware versions for CVE-2024-41335.

detect

Enables vulnerability scanning to identify systems running vulnerable Draytek firmware versions susceptible to timing-based information disclosure.

References