Cyber Resilience

CVE-2024-41338

High

Published: 27 February 2025

Published
27 February 2025
Modified
03 June 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0014 33.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-41338 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Draytek Vigor165 Firmware. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 33.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-41338 is a NULL pointer dereference vulnerability (CWE-476) affecting multiple Draytek Vigor router models running firmware versions prior to specified patches, including Vigor 165/166 before v4.2.6, Vigor 2620/LTE200 before v3.9.8.8, Vigor 2860/2925 before v3.9.7, Vigor 2862/2926 before v3.9.9.4, Vigor 2133/2762/2832 before v3.9.8, Vigor 2135/2765/2766 before v4.4.5.1, Vigor 2865/2866/2927 before v4.4.5.3, Vigor 2962/3910 before v4.3.2.7, Vigor 3912 before v4.3.5.2, and Vigor 2925 up to v3.9.6. The issue occurs in the processing of DHCP requests, with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

The vulnerability can be exploited by unauthenticated attackers with network access, requiring low complexity and no user interaction. By sending a specially crafted DHCP request to the device, an attacker can trigger the NULL pointer dereference, causing a Denial of Service that disrupts device availability, such as crashing the router and halting network services.

Advisories recommend updating affected Draytek Vigor devices to the patched firmware versions listed in the CVE description or later. Further details on mitigations and patches are available from the vendor at http://draytek.com and the Faraday security advisory at https://medium.com/faraday/advisory-multiple-vulnerabilities-affecting-draytek-routers-78a6cb8b3946.

EU & UK References

Vulnerability details

A NULL pointer dereference in Draytek devices Vigor 165/166 prior to v4.2.6 , Vigor 2620/LTE200 prior to v3.9.8.8, Vigor 2860/2925 prior to v3.9.7, Vigor 2862/2926 prior to v3.9.9.4, Vigor 2133/2762/2832 prior to v3.9.8, Vigor 2135/2765/2766 prior to v4.4.5.1, Vigor 2865/2866/2927…

more

prior to v4.4.5.3, Vigor 2962/3910 prior to v4.3.2.7, Vigor 3912 prior to v4.3.5.2, and Vigor 2925 up to v3.9.6 allows attackers to cause a Denial of Service (DoS) via a crafted DHCP request.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

NULL pointer dereference in DHCP processing directly enables Endpoint DoS via application/system exploitation (crash of router).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-41334Same product: Draytek Vigor165
CVE-2024-41339Same product: Draytek Vigor165
CVE-2024-41340Same product: Draytek Vigor165
CVE-2024-51139Same product: Draytek Vigor2133
CVE-2024-51138Same product: Draytek Vigor2133
CVE-2026-40413Shared CWE-476
CVE-2025-57155Shared CWE-476
CVE-2026-28390Shared CWE-476
CVE-2026-23952Shared CWE-476
CVE-2025-57156Shared CWE-476

Affected Assets

draytek
vigor165 firmware
≤ 4.2.6
draytek
vigor166 firmware
≤ 4.2.6
draytek
vigor2620 firmware
≤ 3.9.8.8
draytek
vigorlte200 firmware
≤ 3.9.8.8
draytek
vigor2860 firmware
≤ 3.9.7
draytek
vigor2925 firmware
≤ 3.9.7
draytek
vigor2862 firmware
≤ 3.9.9.4
draytek
vigor2926 firmware
≤ 3.9.9.4
draytek
vigor2133 firmware
≤ 3.9.8
draytek
vigor2762 firmware
≤ 3.9.8
+10 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the NULL pointer dereference vulnerability by requiring timely application of vendor-patched firmware for affected Draytek Vigor routers.

preventdetect

Protects against the DoS caused by crafted DHCP requests through denial-of-service protection mechanisms that limit resource exhaustion and detect anomalous traffic patterns.

prevent

Validates incoming DHCP requests to block malformed packets that trigger the NULL pointer dereference before they reach vulnerable processing code.

References