Cyber Resilience

CVE-2024-51138

Critical

Published: 27 February 2025

Published
27 February 2025
Modified
28 May 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0859 92.6th percentile
Risk Priority 25 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-51138 is a critical-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Draytek Vigor2962 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 7.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2024-51138 is a stack-based buffer overflow vulnerability (CWE-121) in the URL parsing functionality of the TR069 STUN server present in multiple Draytek Vigor router models. Affected devices include Vigor165/166 running 4.2.7 and earlier, Vigor2620/LTE200 at 3.9.8.9 and earlier, Vigor2860/2925 at 3.9.8 and earlier, Vigor2862/2926 at 3.9.9.5 and earlier, and numerous additional models up through firmware versions such as 4.4.5.3, all of which perform insufficient bounds checking on the quantity of URL parameters.

A remote attacker can exploit the flaw by sending a single crafted request over the network without authentication or user interaction. Successful exploitation grants arbitrary code execution with elevated privileges, corresponding to the CVSS 9.8 rating that reflects full impact on confidentiality, integrity, and availability.

Public references point to Draytek product information and a technical advisory detailing multiple related issues in the same router family, though no specific patch versions or mitigation steps are enumerated in the available data. The associated EPSS score has remained flat at 0.0859 with no observed increase after disclosure.

EU & UK References

Vulnerability details

Vigor165/166 4.2.7 and earlier; Vigor2620/LTE200 3.9.8.9 and earlier; Vigor2860/2925 3.9.8 and earlier; Vigor2862/2926 3.9.9.5 and earlier; Vigor2133/2762/2832 3.9.9 and earlier; Vigor2135/2765/2766 4.4.5. and earlier; Vigor2865/2866/2927 4.4.5.3 and earlier; Vigor2962 4.3.2.8 and earlier; Vigor3912 4.3.6.1 and earlier; Vigor3910 4.4.3.1 and earlier…

more

a stack-based buffer overflow vulnerability has been identified in the URL parsing functionality of the TR069 STUN server. This flaw occurs due to insufficient bounds checking on the amount of URL parameters, allowing an attacker to exploit the overflow by sending a maliciously crafted request. Consequently, a remote attacker can execute arbitrary code with elevated privileges.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote unauthenticated stack buffer overflow in public-facing TR069 STUN server on Draytek routers directly enables arbitrary code execution via crafted network request (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-51139Same product: Draytek Vigor1000B
CVE-2024-41339Same product: Draytek Vigor2133
CVE-2024-41334Same product: Draytek Vigor2133
CVE-2024-41340Same product: Draytek Vigor2133
CVE-2024-41338Same product: Draytek Vigor2133
CVE-2025-11779Shared CWE-121
CVE-2026-25823Shared CWE-121
CVE-2025-69766Shared CWE-121
CVE-2025-60691Shared CWE-121
CVE-2019-25364Shared CWE-121

Affected Assets

draytek
vigor3912 firmware
≤ 4.4.3.2
draytek
vigor2620 firmware
≤ 3.9.9.1
draytek
vigorlte200 firmware
≤ 3.9.9.1
draytek
vigor2860 firmware
≤ 3.9.8.3
draytek
vigor2925 firmware
≤ 3.9.8.3
draytek
vigor2862 firmware
≤ 3.9.9.8
draytek
vigor2926 firmware
≤ 3.9.9.8
draytek
vigor2133 firmware
≤ 3.9.9.2
draytek
vigor2762 firmware
≤ 3.9.9.2
draytek
vigor2832 firmware
≤ 3.9.9.2
+13 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the stack-based buffer overflow by applying vendor patches for the affected Draytek Vigor router firmware.

prevent

Enforces bounds checking and validation on URL parameters processed by the TR069 STUN server to prevent buffer overflows from malicious requests.

prevent

Implements memory protections like stack canaries and non-executable memory to mitigate exploitation of the stack-based buffer overflow even if input validation fails.

References