Cyber Resilience

CVE-2024-51139

Critical

Published: 27 February 2025

Published
27 February 2025
Modified
28 May 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0675 91.5th percentile
Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-51139 is a critical-severity Classic Buffer Overflow (CWE-120) vulnerability in Draytek Vigor2962 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 8.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-51139 is a buffer overflow vulnerability (CWE-120) affecting the CGI parser in multiple Draytek Vigor router models, including Vigor2620/LTE200 3.9.8.9 and earlier, Vigor2860/2925 3.9.8 and earlier, Vigor2862/2926 3.9.9.5 and earlier, Vigor2133/2762/2832 3.9.9 and earlier, Vigor165/166 4.2.7 and earlier, Vigor2135/2765/2766 4.4.5.1 and earlier, Vigor2865/2866/2927 4.4.5.3 and earlier, Vigor2962/3910 4.3.2.8/4.4.3.1 and earlier, and Vigor3912 4.3.6.1 and earlier. The flaw resides in how the parser processes the Content-Length header of incoming HTTP POST requests and carries a CVSS 3.1 score of 9.8.

An unauthenticated remote attacker can send a crafted HTTP POST request over the network to trigger the overflow, resulting in arbitrary code execution with full control over the affected device. No user interaction or credentials are required, and the attack surface is exposed to any network-reachable interface accepting such requests.

Public references point to Draytek and an advisory detailing multiple router issues, but no specific mitigation steps or patch availability details are provided in the source data. The associated EPSS score remains flat at 0.0675 with no observed rise after disclosure.

EU & UK References

Vulnerability details

Buffer Overflow vulnerability in Vigor2620/LTE200 3.9.8.9 and earlier and Vigor2860/2925 3.9.8 and earlier and Vigor2862/2926 3.9.9.5 and earlier and Vigor2133/2762/2832 3.9.9 and earlier and Vigor165/166 4.2.7 and earlier and Vigor2135/2765/2766 4.4.5.1 and earlier and Vigor2865/2866/2927 4.4.5.3 and earlier and Vigor2962/3910…

more

4.3.2.8/4.4.3.1 and earlier and Vigor3912 4.3.6.1 and earlier allows a remote attacker to execute arbitrary code via the CGI parser's handling of the "Content-Length" header of HTTP POST requests.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Buffer overflow in public-facing CGI/HTTP parser enables remote unauthenticated RCE on network device.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-51138Same product: Draytek Vigor1000B
CVE-2024-41339Same product: Draytek Vigor2133
CVE-2024-41334Same product: Draytek Vigor2133
CVE-2024-41340Same product: Draytek Vigor2133
CVE-2024-41338Same product: Draytek Vigor2133
CVE-2021-47854Shared CWE-120
CVE-2024-39803Shared CWE-120
CVE-2024-37184Shared CWE-120
CVE-2025-66647Shared CWE-120
CVE-2024-39750Shared CWE-120

Affected Assets

draytek
vigor2620 firmware
≤ 3.9.9.1
draytek
vigorlte200 firmware
≤ 3.9.9.1
draytek
vigor2860 firmware
≤ 3.9.8.3
draytek
vigor2925 firmware
≤ 3.9.8.3
draytek
vigor2862 firmware
≤ 3.9.9.8
draytek
vigor2926 firmware
≤ 3.9.9.8
draytek
vigor2133 firmware
≤ 3.9.9.2
draytek
vigor2762 firmware
≤ 3.9.9.2
draytek
vigor2832 firmware
≤ 3.9.9.2
draytek
vigor2135 firmware
≤ 4.4.5.5
+13 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

preventrecover

Directly remediates the buffer overflow vulnerability by applying vendor-provided firmware patches for affected Draytek Vigor routers.

prevent

Requires validation and sanitization of the Content-Length header in HTTP POST requests to the CGI parser, preventing the buffer overflow trigger.

prevent

Implements memory protections such as address space randomization and stack guards to mitigate successful exploitation of the buffer overflow for arbitrary code execution.

References