CVE-2024-51138
Published: 27 February 2025
Summary
CVE-2024-51138 is a critical-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Draytek Vigor2962 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 7.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2024-51138 is a stack-based buffer overflow vulnerability (CWE-121) in the URL parsing functionality of the TR069 STUN server present in multiple Draytek Vigor router models. Affected devices include Vigor165/166 running 4.2.7 and earlier, Vigor2620/LTE200 at 3.9.8.9 and earlier, Vigor2860/2925 at 3.9.8 and earlier, Vigor2862/2926 at 3.9.9.5 and earlier, and numerous additional models up through firmware versions such as 4.4.5.3, all of which perform insufficient bounds checking on the quantity of URL parameters.
A remote attacker can exploit the flaw by sending a single crafted request over the network without authentication or user interaction. Successful exploitation grants arbitrary code execution with elevated privileges, corresponding to the CVSS 9.8 rating that reflects full impact on confidentiality, integrity, and availability.
Public references point to Draytek product information and a technical advisory detailing multiple related issues in the same router family, though no specific patch versions or mitigation steps are enumerated in the available data. The associated EPSS score has remained flat at 0.0859 with no observed increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5925
Vulnerability details
Vigor165/166 4.2.7 and earlier; Vigor2620/LTE200 3.9.8.9 and earlier; Vigor2860/2925 3.9.8 and earlier; Vigor2862/2926 3.9.9.5 and earlier; Vigor2133/2762/2832 3.9.9 and earlier; Vigor2135/2765/2766 4.4.5. and earlier; Vigor2865/2866/2927 4.4.5.3 and earlier; Vigor2962 4.3.2.8 and earlier; Vigor3912 4.3.6.1 and earlier; Vigor3910 4.4.3.1 and earlier…
more
a stack-based buffer overflow vulnerability has been identified in the URL parsing functionality of the TR069 STUN server. This flaw occurs due to insufficient bounds checking on the amount of URL parameters, allowing an attacker to exploit the overflow by sending a maliciously crafted request. Consequently, a remote attacker can execute arbitrary code with elevated privileges.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated stack buffer overflow in public-facing TR069 STUN server on Draytek routers directly enables arbitrary code execution via crafted network request (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the stack-based buffer overflow by applying vendor patches for the affected Draytek Vigor router firmware.
Enforces bounds checking and validation on URL parameters processed by the TR069 STUN server to prevent buffer overflows from malicious requests.
Implements memory protections like stack canaries and non-executable memory to mitigate exploitation of the stack-based buffer overflow even if input validation fails.