Cyber Posture

CVE-2024-41338

High

Published: 27 February 2025

Published
27 February 2025
Modified
03 June 2025
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0008 23.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-41338 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Draytek Vigor165 Firmware. Its CVSS base score is 7.5 (High).

Operationally, ranked at the 23.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the NULL pointer dereference vulnerability by requiring timely application of vendor-patched firmware for affected Draytek Vigor routers.

SC-5 Denial-of-service Protection good match
preventdetect

Protects against the DoS caused by crafted DHCP requests through denial-of-service protection mechanisms that limit resource exhaustion and detect anomalous traffic patterns.

SI-10 Information Input Validation partial match
prevent

Validates incoming DHCP requests to block malformed packets that trigger the NULL pointer dereference before they reach vulnerable processing code.

NVD Description

A NULL pointer dereference in Draytek devices Vigor 165/166 prior to v4.2.6 , Vigor 2620/LTE200 prior to v3.9.8.8, Vigor 2860/2925 prior to v3.9.7, Vigor 2862/2926 prior to v3.9.9.4, Vigor 2133/2762/2832 prior to v3.9.8, Vigor 2135/2765/2766 prior to v4.4.5.1, Vigor 2865/2866/2927…

more

prior to v4.4.5.3, Vigor 2962/3910 prior to v4.3.2.7, Vigor 3912 prior to v4.3.5.2, and Vigor 2925 up to v3.9.6 allows attackers to cause a Denial of Service (DoS) via a crafted DHCP request.

Deeper analysisAI

CVE-2024-41338 is a NULL pointer dereference vulnerability (CWE-476) affecting multiple Draytek Vigor router models running firmware versions prior to specified patches, including Vigor 165/166 before v4.2.6, Vigor 2620/LTE200 before v3.9.8.8, Vigor 2860/2925 before v3.9.7, Vigor 2862/2926 before v3.9.9.4, Vigor 2133/2762/2832 before v3.9.8, Vigor 2135/2765/2766 before v4.4.5.1, Vigor 2865/2866/2927 before v4.4.5.3, Vigor 2962/3910 before v4.3.2.7, Vigor 3912 before v4.3.5.2, and Vigor 2925 up to v3.9.6. The issue occurs in the processing of DHCP requests, with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

The vulnerability can be exploited by unauthenticated attackers with network access, requiring low complexity and no user interaction. By sending a specially crafted DHCP request to the device, an attacker can trigger the NULL pointer dereference, causing a Denial of Service that disrupts device availability, such as crashing the router and halting network services.

Advisories recommend updating affected Draytek Vigor devices to the patched firmware versions listed in the CVE description or later. Further details on mitigations and patches are available from the vendor at http://draytek.com and the Faraday security advisory at https://medium.com/faraday/advisory-multiple-vulnerabilities-affecting-draytek-routers-78a6cb8b3946.

Details

CWE(s)
CWE-476

Affected Products

draytek
vigor165 firmware
≤ 4.2.6
draytek
vigor166 firmware
≤ 4.2.6
draytek
vigor2620 firmware
≤ 3.9.8.8
draytek
vigorlte200 firmware
≤ 3.9.8.8
draytek
vigor2860 firmware
≤ 3.9.7
draytek
vigor2925 firmware
≤ 3.9.7
draytek
vigor2862 firmware
≤ 3.9.9.4
draytek
vigor2926 firmware
≤ 3.9.9.4
draytek
vigor2133 firmware
≤ 3.9.8
draytek
vigor2762 firmware
≤ 3.9.8
+10 more product configuration(s) — see NVD for full list

CVEs Like This One

CVE-2024-41340Same product: Draytek Vigor165
CVE-2024-41339Same product: Draytek Vigor165
CVE-2024-41334Same product: Draytek Vigor165
CVE-2024-51139Same product: Draytek Vigor2133
CVE-2024-51138Same product: Draytek Vigor2133
CVE-2026-3040Same vendor: Draytek
CVE-2026-4652Shared CWE-476
CVE-2024-46922Shared CWE-476
CVE-2026-33282Shared CWE-476
CVE-2025-0430Shared CWE-476

References