CVE-2024-41334

Published: Feb 27, 2025Modified: Jun 3, 2025

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

Draytek devices Vigor 165/166 prior to v4.2.6 , Vigor 2620/LTE200 prior to v3.9.8.8, Vigor 2860/2925 prior to v3.9.7, Vigor 2862/2926 prior to v3.9.9.4, Vigor 2133/2762/2832 prior to v3.9.8, Vigor 2135/2765/2766 prior to v4.4.5.1, Vigor 2865/2866/2927 prior to v4.4.5.3, Vigor 2962/3910 prior to v4.3.2.7, Vigor 3912 prior to v4.3.5.2, and Vigor 2925 up to v3.9.6 were discovered to not utilize certificate verification, allowing attackers to upload crafted APPE modules from non-official servers, leading to arbitrary code execution.

Affected (20)

Products: Draytek: Vigor166 Firmware, Vigor2620 Firmware, Vigorlte200 Firmware, Vigor2860 Firmware, Vigor2925 Firmware, Vigor2862 Firmware, Vigor2926 Firmware, Vigor2133 Firmware, Vigor2762 Firmware, Vigor2832 Firmware, Vigor2135 Firmware, Vigor2765 Firmware, Vigor2766 Firmware, Vigor2865 Firmware, Vigor2866 Firmware, Vigor2927 Firmware, Vigor2962 Firmware, Vigor3910 Firmware, Vigor3912 Firmware, Vigor165 Firmware

20 products

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Draytek Vigor166 Firmware	Before 4.2.6

Running on/with	Platform Versions
Draytek Vigor166	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Draytek Vigor2620 Firmware	Before 3.9.8.8

Running on/with	Platform Versions
Draytek Vigor2620	All versions

Configuration C

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Draytek Vigorlte200 Firmware	Before 3.9.8.8

Running on/with	Platform Versions
Draytek Vigorlte200	All versions

Configuration D

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Draytek Vigor2860 Firmware	Before 3.9.7

Running on/with	Platform Versions
Draytek Vigor2860	All versions

Configuration E

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Draytek Vigor2925 Firmware	Before 3.9.7

Running on/with	Platform Versions
Draytek Vigor2925	All versions

Configuration F

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Draytek Vigor2862 Firmware	Before 3.9.9.4

Running on/with	Platform Versions
Draytek Vigor2862	All versions

Configuration G

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Draytek Vigor2926 Firmware	Before 3.9.9.4

Running on/with	Platform Versions
Draytek Vigor2926	All versions

Configuration H

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Draytek Vigor2133 Firmware	Before 3.9.8

Running on/with	Platform Versions
Draytek Vigor2133	All versions

Configuration I

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Draytek Vigor2762 Firmware	Before 3.9.8

Running on/with	Platform Versions
Draytek Vigor2762	All versions

Configuration J

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Draytek Vigor2832 Firmware	Before 3.9.8

Running on/with	Platform Versions
Draytek Vigor2832	All versions

Configuration K

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Draytek Vigor2135 Firmware	Before 4.4.5.1

Running on/with	Platform Versions
Draytek Vigor2135	All versions

Configuration L

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Draytek Vigor2765 Firmware	Before 4.4.5.1

Running on/with	Platform Versions
Draytek Vigor2765	All versions

Configuration M

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Draytek Vigor2766 Firmware	Before 4.4.5.1

Running on/with	Platform Versions
Draytek Vigor2766	All versions

Configuration N

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Draytek Vigor2865 Firmware	Before 4.4.5.3

Running on/with	Platform Versions
Draytek Vigor2865	All versions

Configuration O

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Draytek Vigor2866 Firmware	Before 4.4.5.3

Running on/with	Platform Versions
Draytek Vigor2866	All versions

Configuration P

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Draytek Vigor2927 Firmware	Before 4.4.5.3

Running on/with	Platform Versions
Draytek Vigor2927	All versions

Configuration Q

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Draytek Vigor2962 Firmware	Before 4.3.2.7

Running on/with	Platform Versions
Draytek Vigor2962	All versions

Configuration R

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Draytek Vigor3910 Firmware	Before 4.3.2.7

Running on/with	Platform Versions
Draytek Vigor3910	All versions

Configuration S

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Draytek Vigor3912 Firmware	Before 4.3.5.2

Running on/with	Platform Versions
Draytek Vigor3912	All versions

Configuration T

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Draytek Vigor165 Firmware	Before 4.2.6

Running on/with	Platform Versions
Draytek Vigor165	All versions

Related CWEs

CWE-295

Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

References (2)

http://draytek.com

Source: cve@mitre.org

Product

https://medium.com/faraday/advisory-multiple-vulnerabilities-affecting-draytek-routers-78a6cb8b3946

Source: cve@mitre.org

Third Party Advisory

Timeline

No history available yet.