CVE-2024-51139

CRITICAL

Draytek Vigor2620 Firmware < 3.9.9.1 - Buffer Overflow

Title source: rule

Description

Buffer Overflow vulnerability in Vigor2620/LTE200 3.9.8.9 and earlier and Vigor2860/2925 3.9.8 and earlier and Vigor2862/2926 3.9.9.5 and earlier and Vigor2133/2762/2832 3.9.9 and earlier and Vigor165/166 4.2.7 and earlier and Vigor2135/2765/2766 4.4.5.1 and earlier and Vigor2865/2866/2927 4.4.5.3 and earlier and Vigor2962/3910 4.3.2.8/4.4.3.1 and earlier and Vigor3912 4.3.6.1 and earlier allows a remote attacker to execute arbitrary code via the CGI parser's handling of the "Content-Length" header of HTTP POST requests.

References (2)

Core 2

Core References

Product

http://draytek.com

Third Party Advisory

https://medium.com/faraday/advisory-multiple-vulnerabilities-affecting-draytek-routers-78a6cb8b3946

Scores

CVSS v3 9.8

EPSS 0.0548

EPSS Percentile 90.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-120

Status published

Products (23)

draytek/vigor1000b_firmware < 4.4.3.2

draytek/vigor2133_firmware < 3.9.9.2

draytek/vigor2135_firmware < 4.4.5.5

draytek/vigor2620_firmware < 3.9.9.1

draytek/vigor2762_firmware < 3.9.9.2

draytek/vigor2763_firmware < 4.4.5.5

draytek/vigor2765_firmware < 4.4.5.5

draytek/vigor2766_firmware < 4.4.5.5

draytek/vigor2832_firmware < 3.9.9.2

draytek/vigor2860_firmware < 3.9.8.3

... and 13 more

Published Feb 27, 2025

Tracked Since Feb 18, 2026