CVE-2024-51138
high-risk
Published 2025-02-27
Vigor165/166 4.2.7 and earlier; Vigor2620/LTE200 3.9.8.9 and earlier; Vigor2860/2925 3.9.8 and earlier; Vigor2862/2926 3.9.9.5 and earlier; Vigor2133/2762/2832 3.9.9 and earlier; Vigor2135/2765/2766 4.4.5. and earlier; Vigor2865/2866/2927 4.4.5.3 and earlier; Vigor2962 4.3.2.8 and earlier; Vigor3912 4.3.6.1 and earlier; Vigor3910 4.4.3.1 and earlier a stack-based buffer overflow vulnerability has been identified in the URL parsing functionality of the TR069 STUN server. This flaw occurs due to insufficient bounds checking on the amount of URL parameters, allowing an attacker to exploit the overflow by sending a maliciously crafted request. Consequently, a remote attacker can execute arbitrary code with elevated privileges.
Do I need to act?
~
7.0% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10
Critical
NETWORK
/ LOW complexity
Affected Products (20)
Vigor3912 Firmware
Vigor2620 Firmware
Vigorlte200 Firmware
Vigor2860 Firmware
Vigor2925 Firmware
Vigor2862 Firmware
Vigor2926 Firmware
Vigor2133 Firmware
Vigor2762 Firmware
Vigor2832 Firmware
Vigor2135 Firmware
Vigor2765 Firmware
Vigor2766 Firmware
Vigor2763 Firmware
Vigor2865 Firmware
Vigor2866 Firmware
Vigor2927 Firmware
Vigor2962 Firmware
Vigor2915 Firmware
Affected Vendors
References (2)
Product
http://draytek.com
Third Party Advisory
https://medium.com/faraday/advisory-multiple-vulnerabilities-affecting-draytek-r...
62
/ 100
high-risk
Severity
32/34 · Critical
Exploitability
9/34 · Low
Exposure
21/34 · High