CVE-2024-41588

HIGH

Draytek Vigor2620 Firmware < 4.4.5.3 - Buffer Overflow

Title source: rule

Description

The CGI endpoints v2x00.cgi and cgiwcg.cgi of DrayTek Vigor3910 devices through 4.3.2.6 are vulnerable to buffer overflows, by authenticated users, because of missing bounds checking on parameters passed through POST requests to the strncpy function.

References (2)

Core 2

Core References

Mitigation, Technical Description, Third Party Advisory

https://www.forescout.com/resources/draybreak-draytek-research/

Broken Link

https://www.forescout.com/resources/draytek14-vulnerabilities

Scores

CVSS v3 8.0

EPSS 0.0010

EPSS Percentile 27.5%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-120

Status published

Products (24)

draytek/vigor1000b_firmware < 4.3.2.8

draytek/vigor165_firmware < 4.2.7

draytek/vigor166_firmware < 4.2.7

draytek/vigor2133_firmware

draytek/vigor2135_firmware < 4.4.5.3

draytek/vigor2620_firmware

draytek/vigor2762_firmware

draytek/vigor2763_firmware < 4.4.5.3

draytek/vigor2765_firmware < 4.4.5.3

draytek/vigor2766_firmware < 4.4.5.3

... and 14 more

Published Oct 03, 2024

Tracked Since Feb 18, 2026