CVE-2024-41339

HIGH

Draytek Vigor165 Firmware < 4.2.7 - Unrestricted File Upload

Title source: rule

Description

An issue in the CGI endpoint used to upload configurations in Draytek devices Vigor 165/166 prior to v4.2.6 , Vigor 2620/LTE200 prior to v3.9.8.8, Vigor 2860/2925 prior to v3.9.7, Vigor 2862/2926 prior to v3.9.9.4, Vigor 2133/2762/2832 prior to v3.9.8, Vigor 2135/2765/2766 prior to v4.4.5.1, Vigor 2865/2866/2927 prior to v4.4.5.3, Vigor 2962/3910 prior to v4.3.2.7, Vigor 3912 prior to v4.3.5.2, and Vigor 2925 up to v3.9.6 allows attackers to upload a crafted kernel module, allowing for arbitrary code execution.

References (2)

Core 2

Core References

Product

http://draytek.com

Third Party Advisory

https://medium.com/faraday/advisory-multiple-vulnerabilities-affecting-draytek-routers-78a6cb8b3946

Scores

CVSS v3 8.8

EPSS 0.0017

EPSS Percentile 38.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-434

Status published

Products (22)

draytek/vigor165_firmware < 4.2.7

draytek/vigor166_firmware < 4.2.7

draytek/vigor2133_firmware < 3.9.9

draytek/vigor2135_firmware < 4.4.5.1

draytek/vigor2620_firmware < 3.9.8.9

draytek/vigor2762_firmware < 3.9.9

draytek/vigor2765_firmware < 4.4.5.1

draytek/vigor2766_firmware < 4.4.5.1

draytek/vigor2832_firmware < 3.9.9

draytek/vigor2860_firmware < 3.9.8

... and 12 more

Published Feb 27, 2025

Tracked Since Feb 18, 2026