DrayTek Router vulnerabilities disclosed by Faraday Security research team
Take action: If you are running DrayTek Vigor routers, time to start patching fast! There's a bunch of flaws which can be exploited, and the nature of the devices is that they are probably exposed to the internet. Until you are able to patch immediately, disable remote access unless absolutely necessary, disable both remote access (admin) and SSL VPN and enable 2FA where possible.
Learn More
Multiple critical security vulnerabilities affecting DrayTek Vigor routers have been disclosed in February 2025, following discovery by the Faraday Security Research Team on October 9, 2024.
The most severe vulnerabilities include:
- CVE-2024-51138 (CVSS score 9.8): A stack-based buffer overflow vulnerability in the TR069 STUN server's URL parsing functionality. This flaw allows remote attackers to execute arbitrary code through unauthenticated requests, potentially leading to complete system compromise. Note that when TR069 and STUN server are enabled, the router is typically behind a NAT gateway.
- CVE-2024-51139 (CVSS score 9.8): An integer overflow vulnerability in the CGI parser's handling of HTTP POST requests' "Content-Length" header. This flaw can result in a heap overflow, allowing unauthenticated remote attackers to execute arbitrary code and completely compromise affected systems.
- CVE-2024-41339 (CVSS score 9.8): Undocumented kernel module installation through CGI configuration endpoint, enabling arbitrary code execution.
- CVE-2024-41334 (CVSS score 9.8): Missing SSL certificate validation for APP Enforcement signature updates, potentially enabling malicious module installation from unofficial servers.
The Faraday team also discovered several other security issues:
- CVE-2024-41340 (CVSS score 8.4): APP Enforcement signature update vulnerability allowing arbitrary kernel module installation and code execution.
- CVE-2024-41335 (CVSS score 7.5): Non-constant time password comparison vulnerabilities, allowing potential timing attacks to obtain sensitive information.
- CVE-2024-41336 (CVSS score 7.5): Insecure password storage in plaintext, enabling credential theft through memory or physical access.
- CVE-2024-41338 (CVSS score 7.5): DHCP server NULL pointer dereference vulnerability, allowing denial-of-service attacks via crafted DHCP requests.
- No CVE assigned: Predictable 2FA code generation vulnerability, allowing attackers to bypass secondary authentication measures.
DrayTek has released patched firmware versions for all affected models:
- Vigor2620 LTE – 3.9.9.1
- VigorLTE 200n – 3.9.9.1
- Vigor2133 – 3.9.9.2
- Vigor2135 – 4.4.5.5
- Vigor2762 – 3.9.9.2
- Vigor2765 – 4.4.5.5
- Vigor2766 – 4.4.5.5
- Vigor2832 – 3.9.9.2
- Vigor2860 / 2860 LTE – 3.9.8.3
- Vigor2862 / 2862 LTE – 3.9.9.8
- Vigor2865 / 2865 LTE / 2865L-5G – 4.4.5.8
- Vigor2866 / 2866 LTE – 4.4.5.8
- Vigor2925 / 2925 LTE – 3.9.8.3
- Vigor2926 / 2926 LTE – 3.9.9.8
- Vigor2927 / 2927 LTE / 2927L-5G – 4.4.5.8
- Vigor2962 – 4.3.2.9 – 4.4.3.2
- Vigor3910 – 4.3.2.9 / 4.4.3.2
- Vigor3912 – 4.3.6.2 / 4.4.3.2
DrayTek has contacted customers via email urging immediate firmware updates. For those who cannot update immediately, the following mitigations are recommended:
- Disable remote access unless absolutely necessary
- Implement access control lists (ACL) and enable 2FA where possible
- For unpatched routers, disable both remote access (admin) and SSL VPN
- Note that ACL does not apply to SSL VPN (Port 443), so temporarily disable SSL VPN until upgraded
