Cyber Posture

CVE-2024-41340

High

Published: 27 February 2025

Published
27 February 2025
Modified
03 June 2025
KEV Added
Patch
CVSS Score 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0005 16.0th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-41340 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Draytek Vigor2962 Firmware. Its CVSS base score is 8.4 (High).

Operationally, ranked at the 16.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Enforces validation of uploaded APP Enforcement modules to reject crafted files that could lead to arbitrary code execution.

SI-2 Flaw Remediation good match
prevent

Requires timely patching of the unrestricted file upload flaw via updated firmware versions recommended by Draytek.

CM-14 Signed Components good match
prevent

Mandates digital signatures for system components like APP Enforcement modules, blocking unsigned crafted uploads from execution.

NVD Description

An issue in Draytek devices Vigor 165/166 prior to v4.2.6 , Vigor 2620/LTE200 prior to v3.9.8.8, Vigor 2860/2925 prior to v3.9.7, Vigor 2862/2926 prior to v3.9.9.4, Vigor 2133/2762/2832 prior to v3.9.8, Vigor 2135/2765/2766 prior to v4.4.5.1, Vigor 2865/2866/2927 prior to…

more

v4.4.5.3, Vigor 2962/3910 prior to v4.3.2.7, Vigor 3912 prior to v4.3.5.2, and Vigor 2925 up to v3.9.6 allows attackers to upload crafted APP Enforcement modules, leading to arbitrary code execution.

Deeper analysisAI

CVE-2024-41340 is an unrestricted file upload vulnerability (CWE-434) affecting multiple Draytek Vigor router models, including Vigor 165/166 prior to v4.2.6, Vigor 2620/LTE200 prior to v3.9.8.8, Vigor 2860/2925 prior to v3.9.7, Vigor 2862/2926 prior to v3.9.9.4, Vigor 2133/2762/2832 prior to v3.9.8, Vigor 2135/2765/2766 prior to v4.4.5.1, Vigor 2865/2866/2927 prior to v4.4.5.3, Vigor 2962/3910 prior to v4.3.2.7, Vigor 3912 prior to v4.3.5.2, and Vigor 2925 up to v3.9.6. The flaw enables attackers to upload crafted APP Enforcement modules, resulting in arbitrary code execution on the device.

The vulnerability has a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it can be exploited by local attackers with low complexity, no privileges, and no user interaction required. Successful exploitation grants high-impact arbitrary code execution, potentially allowing full compromise of the router's confidentiality, integrity, and availability.

Advisories from Draytek (http://draytek.com) and a Faraday Labs report (https://medium.com/faraday/advisory-multiple-vulnerabilities-affecting-draytek-routers-78a6cb8b3946) recommend updating to the specified patched firmware versions for each affected model to mitigate the issue.

Details

CWE(s)
CWE-434

Affected Products

draytek
vigor165 firmware
≤ 4.2.7
draytek
vigor166 firmware
≤ 4.2.7
draytek
vigor2620 firmware
≤ 3.9.8.9
draytek
vigorlte200 firmware
≤ 3.9.8.9
draytek
vigor2860 firmware
≤ 3.9.8
draytek
vigor2925 firmware
≤ 3.9.8
draytek
vigor2862 firmware
≤ 3.9.9.5
draytek
vigor2926 firmware
≤ 3.9.9.5
draytek
vigor2133 firmware
≤ 3.9.9
draytek
vigor2762 firmware
≤ 3.9.9
+10 more product configuration(s) — see NVD for full list

CVEs Like This One

CVE-2024-41339Same product: Draytek Vigor165
CVE-2024-41334Same product: Draytek Vigor165
CVE-2024-41338Same product: Draytek Vigor165
CVE-2024-51139Same product: Draytek Vigor2133
CVE-2024-51138Same product: Draytek Vigor2133
CVE-2026-3040Same vendor: Draytek
CVE-2021-35485Shared CWE-434
CVE-2020-36942Shared CWE-434
CVE-2025-34299Shared CWE-434
CVE-2025-26411Shared CWE-434

References