CVE-2024-51139

Critical

Published: 27 February 2025

Published

27 February 2025

Modified

28 May 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0548 90.3th percentile

Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-51139 is a critical-severity Classic Buffer Overflow (CWE-120) vulnerability in Draytek Vigor2962 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

preventrecover

Directly remediates the buffer overflow vulnerability by applying vendor-provided firmware patches for affected Draytek Vigor routers.

SI-10 Information Input Validation good match

prevent

Requires validation and sanitization of the Content-Length header in HTTP POST requests to the CGI parser, preventing the buffer overflow trigger.

SI-16 Memory Protection partial match

prevent

Implements memory protections such as address space randomization and stack guards to mitigate successful exploitation of the buffer overflow for arbitrary code execution.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Buffer overflow in public-facing CGI/HTTP parser enables remote unauthenticated RCE on network device.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Buffer Overflow vulnerability in Vigor2620/LTE200 3.9.8.9 and earlier and Vigor2860/2925 3.9.8 and earlier and Vigor2862/2926 3.9.9.5 and earlier and Vigor2133/2762/2832 3.9.9 and earlier and Vigor165/166 4.2.7 and earlier and Vigor2135/2765/2766 4.4.5.1 and earlier and Vigor2865/2866/2927 4.4.5.3 and earlier and Vigor2962/3910…

4.3.2.8/4.4.3.1 and earlier and Vigor3912 4.3.6.1 and earlier allows a remote attacker to execute arbitrary code via the CGI parser's handling of the "Content-Length" header of HTTP POST requests.

Deeper analysisAI

CVE-2024-51139 is a buffer overflow vulnerability (CWE-120) affecting the CGI parser in multiple Draytek Vigor router models. It impacts Vigor2620/LTE200 firmware 3.9.8.9 and earlier, Vigor2860/2925 3.9.8 and earlier, Vigor2862/2926 3.9.9.5 and earlier, Vigor2133/2762/2832 3.9.9 and earlier, Vigor165/166 4.2.7 and earlier, Vigor2135/2765/2766 4.4.5.1 and earlier, Vigor2865/2866/2927 4.4.5.3 and earlier, Vigor2962/3910 4.3.2.8/4.4.3.1 and earlier, and Vigor3912 4.3.6.1 and earlier. The flaw arises from improper handling of the "Content-Length" header in HTTP POST requests, earning a CVSS v3.1 base score of 9.8 (Critical).

A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required. By sending a specially crafted HTTP POST request with a manipulated "Content-Length" header, the attacker triggers the buffer overflow in the CGI parser, enabling arbitrary code execution on the affected device. Successful exploitation grants high confidentiality, integrity, and availability impacts, potentially allowing full router compromise, such as backdoor installation or traffic redirection.

Vendor advisories and third-party reports, including those from Draytek at http://draytek.com and Faraday Labs at https://medium.com/faraday/advisory-multiple-vulnerabilities-affecting-draytek-routers-78a6cb8b3946, address this among multiple Draytek router vulnerabilities. Mitigation requires updating to firmware versions later than those listed as vulnerable, as patches are available from the vendor.

Details

CWE(s): CWE-120

Affected Products

draytek

vigor2620 firmware

≤ 3.9.9.1

draytek

vigorlte200 firmware

≤ 3.9.9.1

draytek

vigor2860 firmware

≤ 3.9.8.3

draytek

vigor2925 firmware

≤ 3.9.8.3

draytek

vigor2862 firmware

≤ 3.9.9.8

draytek

vigor2926 firmware

≤ 3.9.9.8

draytek

vigor2133 firmware

≤ 3.9.9.2

draytek

vigor2762 firmware

≤ 3.9.9.2

draytek

vigor2832 firmware

≤ 3.9.9.2

draytek

vigor2135 firmware

≤ 4.4.5.5

+13 more product configuration(s) — see NVD for full list

CVEs Like This One

CVE-2024-51138Same product: Draytek Vigor1000B

CVE-2024-41339Same product: Draytek Vigor2133

CVE-2024-41334Same product: Draytek Vigor2133

CVE-2024-41338Same product: Draytek Vigor2133

CVE-2024-41340Same product: Draytek Vigor2133

CVE-2024-57482Shared CWE-120

CVE-2024-57479Shared CWE-120

CVE-2025-50670Shared CWE-120

CVE-2025-60554Shared CWE-120

CVE-2025-22916Shared CWE-120

References

http://draytek.com
Product · cve@mitre.org
https://medium.com/faraday/advisory-multiple-vulnerabilities-affecting-draytek-routers-78a6cb8b3946
Third Party Advisory · cve@mitre.org