CVE-2024-51139
Published: 27 February 2025
Summary
CVE-2024-51139 is a critical-severity Classic Buffer Overflow (CWE-120) vulnerability in Draytek Vigor2962 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 8.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-51139 is a buffer overflow vulnerability (CWE-120) affecting the CGI parser in multiple Draytek Vigor router models, including Vigor2620/LTE200 3.9.8.9 and earlier, Vigor2860/2925 3.9.8 and earlier, Vigor2862/2926 3.9.9.5 and earlier, Vigor2133/2762/2832 3.9.9 and earlier, Vigor165/166 4.2.7 and earlier, Vigor2135/2765/2766 4.4.5.1 and earlier, Vigor2865/2866/2927 4.4.5.3 and earlier, Vigor2962/3910 4.3.2.8/4.4.3.1 and earlier, and Vigor3912 4.3.6.1 and earlier. The flaw resides in how the parser processes the Content-Length header of incoming HTTP POST requests and carries a CVSS 3.1 score of 9.8.
An unauthenticated remote attacker can send a crafted HTTP POST request over the network to trigger the overflow, resulting in arbitrary code execution with full control over the affected device. No user interaction or credentials are required, and the attack surface is exposed to any network-reachable interface accepting such requests.
Public references point to Draytek and an advisory detailing multiple router issues, but no specific mitigation steps or patch availability details are provided in the source data. The associated EPSS score remains flat at 0.0675 with no observed rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5949
Vulnerability details
Buffer Overflow vulnerability in Vigor2620/LTE200 3.9.8.9 and earlier and Vigor2860/2925 3.9.8 and earlier and Vigor2862/2926 3.9.9.5 and earlier and Vigor2133/2762/2832 3.9.9 and earlier and Vigor165/166 4.2.7 and earlier and Vigor2135/2765/2766 4.4.5.1 and earlier and Vigor2865/2866/2927 4.4.5.3 and earlier and Vigor2962/3910…
more
4.3.2.8/4.4.3.1 and earlier and Vigor3912 4.3.6.1 and earlier allows a remote attacker to execute arbitrary code via the CGI parser's handling of the "Content-Length" header of HTTP POST requests.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in public-facing CGI/HTTP parser enables remote unauthenticated RCE on network device.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the buffer overflow vulnerability by applying vendor-provided firmware patches for affected Draytek Vigor routers.
Requires validation and sanitization of the Content-Length header in HTTP POST requests to the CGI parser, preventing the buffer overflow trigger.
Implements memory protections such as address space randomization and stack guards to mitigate successful exploitation of the buffer overflow for arbitrary code execution.