CVE-2024-51138

Critical

Published: 27 February 2025

Published

27 February 2025

Modified

28 May 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0701 91.5th percentile

Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-51138 is a critical-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Draytek Vigor2962 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 8.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the stack-based buffer overflow by applying vendor patches for the affected Draytek Vigor router firmware.

SI-10 Information Input Validation good match

prevent

Enforces bounds checking and validation on URL parameters processed by the TR069 STUN server to prevent buffer overflows from malicious requests.

SI-16 Memory Protection good match

prevent

Implements memory protections like stack canaries and non-executable memory to mitigate exploitation of the stack-based buffer overflow even if input validation fails.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Remote unauthenticated stack buffer overflow in public-facing TR069 STUN server on Draytek routers directly enables arbitrary code execution via crafted network request (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Vigor165/166 4.2.7 and earlier; Vigor2620/LTE200 3.9.8.9 and earlier; Vigor2860/2925 3.9.8 and earlier; Vigor2862/2926 3.9.9.5 and earlier; Vigor2133/2762/2832 3.9.9 and earlier; Vigor2135/2765/2766 4.4.5. and earlier; Vigor2865/2866/2927 4.4.5.3 and earlier; Vigor2962 4.3.2.8 and earlier; Vigor3912 4.3.6.1 and earlier; Vigor3910 4.4.3.1 and earlier…

a stack-based buffer overflow vulnerability has been identified in the URL parsing functionality of the TR069 STUN server. This flaw occurs due to insufficient bounds checking on the amount of URL parameters, allowing an attacker to exploit the overflow by sending a maliciously crafted request. Consequently, a remote attacker can execute arbitrary code with elevated privileges.

Deeper analysisAI

CVE-2024-51138 is a stack-based buffer overflow vulnerability (CWE-121) affecting the URL parsing functionality in the TR069 STUN server of multiple Draytek Vigor router models. The flaw impacts Vigor165/166 versions 4.2.7 and earlier; Vigor2620/LTE200 3.9.8.9 and earlier; Vigor2860/2925 3.9.8 and earlier; Vigor2862/2926 3.9.9.5 and earlier; Vigor2133/2762/2832 3.9.9 and earlier; Vigor2135/2765/2766 4.4.5 and earlier; Vigor2865/2866/2927 4.4.5.3 and earlier; Vigor2962 4.3.2.8 and earlier; Vigor3912 4.3.6.1 and earlier; and Vigor3910 4.4.3.1 and earlier. It stems from insufficient bounds checking on the amount of URL parameters processed.

A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction by sending a maliciously crafted request to the TR069 STUN server. Successful exploitation triggers the buffer overflow, enabling arbitrary code execution with elevated privileges. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting critical impact on confidentiality, integrity, and availability.

Advisories providing mitigation guidance, including patches, are available from Draytek at http://draytek.com and in the Faraday Labs report on multiple Draytek router vulnerabilities at https://medium.com/faraday/advisory-multiple-vulnerabilities-affecting-draytek-routers-78a6cb8b3946.

Details

CWE(s): CWE-121

Affected Products

draytek

vigor3912 firmware

≤ 4.4.3.2

draytek

vigor2620 firmware

≤ 3.9.9.1

draytek

vigorlte200 firmware

≤ 3.9.9.1

draytek

vigor2860 firmware

≤ 3.9.8.3

draytek

vigor2925 firmware

≤ 3.9.8.3

draytek

vigor2862 firmware

≤ 3.9.9.8

draytek

vigor2926 firmware

≤ 3.9.9.8

draytek

vigor2133 firmware

≤ 3.9.9.2

draytek

vigor2762 firmware

≤ 3.9.9.2

draytek

vigor2832 firmware

≤ 3.9.9.2

+13 more product configuration(s) — see NVD for full list

CVEs Like This One

CVE-2024-51139Same product: Draytek Vigor1000B

CVE-2024-41339Same product: Draytek Vigor2133

CVE-2024-41334Same product: Draytek Vigor2133

CVE-2024-41338Same product: Draytek Vigor2133

CVE-2024-41340Same product: Draytek Vigor2133

CVE-2025-70219Shared CWE-121

CVE-2025-61128Shared CWE-121

CVE-2019-25319Shared CWE-121

CVE-2026-22904Shared CWE-121

CVE-2026-30871Shared CWE-121

References

http://draytek.com
Product · cve@mitre.org
https://medium.com/faraday/advisory-multiple-vulnerabilities-affecting-draytek-routers-78a6cb8b3946
Third Party Advisory · cve@mitre.org