CVE-2024-41335
Published: 27 February 2025
Summary
CVE-2024-41335 is a high-severity Observable Discrepancy (CWE-203) vulnerability in Draytek (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 49.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-5 (Security Alerts, Advisories, and Directives).
Deeper analysis
CVE-2024-41335 is a vulnerability in multiple Draytek Vigor router models, including Vigor 165/166 prior to v4.2.6, Vigor 2620/LTE200 prior to v3.9.8.8, Vigor 2860/2925 prior to v3.9.7, Vigor 2862/2926 prior to v3.9.9.4, Vigor 2133/2762/2832 prior to v3.9.8, Vigor 2135/2765/2766 prior to v4.4.5.1, Vigor 2865/2866/2927 prior to v4.4.5.3, Vigor 2962/3910 prior to v4.3.2.7, Vigor 3912 prior to v4.3.5.2, and Vigor 2925 up to v3.9.6. The issue arises from the use of insecure versions of the strcmp and memcmp functions, enabling potential disclosure of sensitive information through timing attacks (CWE-203). It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
The vulnerability can be exploited by any unauthenticated attacker with network access to the affected device. Exploitation requires low complexity and no user interaction, allowing remote attackers to perform timing analysis on strcmp and memcmp operations to infer sensitive data, such as credentials or other confidential information stored or processed by the router.
Vendor advisories, including those on the Draytek website (http://draytek.com) and a Faraday Labs report (https://medium.com/faraday/advisory-multiple-vulnerabilities-affecting-draytek-routers-78a6cb8b3946), indicate that mitigation involves updating to the fixed firmware versions specified for each model.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5924
Vulnerability details
Draytek devices Vigor 165/166 prior to v4.2.6 , Vigor 2620/LTE200 prior to v3.9.8.8, Vigor 2860/2925 prior to v3.9.7, Vigor 2862/2926 prior to v3.9.9.4, Vigor 2133/2762/2832 prior to v3.9.8, Vigor 2135/2765/2766 prior to v4.4.5.1, Vigor 2865/2866/2927 prior to v4.4.5.3, Vigor 2962/3910…
more
prior to v4.3.2.7, Vigor 3912 prior to v4.3.5.2, and Vigor 2925 up to v3.9.6 were discovered to utilize insecure versions of the functions strcmp and memcmp, allowing attackers to possibly obtain sensitive information via timing attacks.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote exploitation of public-facing router firmware via timing side-channel on insecure string/memory comparison functions, enabling credential/sensitive data disclosure.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Mandates timely identification, reporting, and correction of software flaws like the insecure strcmp and memcmp functions enabling timing attacks in affected Draytek firmware.
Requires receiving, disseminating, and implementing security advisories and directives from vendors like Draytek specifying fixed firmware versions for CVE-2024-41335.
Enables vulnerability scanning to identify systems running vulnerable Draytek firmware versions susceptible to timing-based information disclosure.