CVE-2024-41334

high-risk

Published 2025-02-27

Draytek devices Vigor 165/166 prior to v4.2.6 , Vigor 2620/LTE200 prior to v3.9.8.8, Vigor 2860/2925 prior to v3.9.7, Vigor 2862/2926 prior to v3.9.9.4, Vigor 2133/2762/2832 prior to v3.9.8, Vigor 2135/2765/2766 prior to v4.4.5.1, Vigor 2865/2866/2927 prior to v4.4.5.3, Vigor 2962/3910 prior to v4.3.2.7, Vigor 3912 prior to v4.3.5.2, and Vigor 2925 up to v3.9.6 were discovered to not utilize certificate verification, allowing attackers to upload crafted APPE modules from non-official servers, leading to arbitrary code execution.

Do I need to act?

0.14% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.8/10 High

NETWORK / LOW complexity

Affected Products (20)

Vigor166 Firmware

Vigor2620 Firmware

Vigorlte200 Firmware

Vigor2860 Firmware

Vigor2925 Firmware

Vigor2862 Firmware

Vigor2926 Firmware

Vigor2133 Firmware

Vigor2762 Firmware

Vigor2832 Firmware

Vigor2135 Firmware

Vigor2765 Firmware

Vigor2766 Firmware

Vigor2865 Firmware

Vigor2866 Firmware

Vigor2927 Firmware

Vigor2962 Firmware

Vigor3910 Firmware

Vigor3912 Firmware

Vigor165 Firmware

Affected Vendors

Draytek

References (2)

Product http://draytek.com

Third Party Advisory https://medium.com/faraday/advisory-multiple-vulnerabilities-affecting-draytek-r...

/ 100

high-risk

Severity 30/34 · Critical

Exploitability 1/34 · Minimal

Exposure 20/34 · Moderate