CVE-2024-41339
Published: 27 February 2025
Summary
CVE-2024-41339 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Draytek Vigor2962 Firmware. Its CVSS base score is 8.8 (High).
Operationally, ranked at the 38.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the vulnerability by requiring timely patching of the flawed CGI endpoint to block unrestricted kernel module uploads leading to arbitrary code execution.
Implements input validation at the CGI configuration upload endpoint to detect and reject crafted kernel modules disguised as valid files.
Restricts file types, extensions, and formats at the upload boundary to prevent acceptance of dangerous kernel modules.
NVD Description
An issue in the CGI endpoint used to upload configurations in Draytek devices Vigor 165/166 prior to v4.2.6 , Vigor 2620/LTE200 prior to v3.9.8.8, Vigor 2860/2925 prior to v3.9.7, Vigor 2862/2926 prior to v3.9.9.4, Vigor 2133/2762/2832 prior to v3.9.8, Vigor…
more
2135/2765/2766 prior to v4.4.5.1, Vigor 2865/2866/2927 prior to v4.4.5.3, Vigor 2962/3910 prior to v4.3.2.7, Vigor 3912 prior to v4.3.5.2, and Vigor 2925 up to v3.9.6 allows attackers to upload a crafted kernel module, allowing for arbitrary code execution.
Deeper analysisAI
CVE-2024-41339 affects the CGI endpoint used for uploading configurations in multiple Draytek Vigor router models, including Vigor 165/166 prior to v4.2.6, Vigor 2620/LTE200 prior to v3.9.8.8, Vigor 2860/2925 prior to v3.9.7, Vigor 2862/2926 prior to v3.9.9.4, Vigor 2133/2762/2832 prior to v3.9.8, Vigor 2135/2765/2766 prior to v4.4.5.1, Vigor 2865/2866/2927 prior to v4.4.5.3, Vigor 2962/3910 prior to v4.3.2.7, Vigor 3912 prior to v4.3.5.2, and Vigor 2925 up to v3.9.6. The issue, classified under CWE-434 (Unrestricted Upload of File with Dangerous Type), enables attackers to upload a crafted kernel module, resulting in arbitrary code execution on the device. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Attackers with low privileges, such as authenticated users, can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Exploitation involves uploading a malicious kernel module via the affected CGI endpoint, achieving arbitrary code execution with high impacts on confidentiality, integrity, and availability, potentially leading to full device compromise.
Vendor advisories and security researcher publications, including those on the Draytek website (http://draytek.com) and a Medium post by Faraday Labs (https://medium.com/faraday/advisory-multiple-vulnerabilities-affecting-draytek-routers-78a6cb8b3946), recommend updating to the specified patched firmware versions for each affected model to mitigate the vulnerability.
Details
- CWE(s)