CVE-2024-41339

CVE-2024-41339 affects the CGI endpoint used for uploading configurations in multiple Draytek Vigor router models, including Vigor 165/166 prior to v4.2.6, Vigor 2620/LTE200 prior to v3.9.8.8, Vigor 2860/2925 prior to v3.9.7, Vigor 2862/2926 prior to v3.9.9.4, Vigor 2133/2762/2832 prior to v3.9.8, Vigor 2135/2765/2766 prior to v4.4.5.1, Vigor 2865/2866/2927 prior to v4.4.5.3, Vigor 2962/3910 prior to v4.3.2.7, Vigor 3912 prior to v4.3.5.2, and Vigor 2925 up to v3.9.6. The issue, classified under CWE-434 (Unrestricted Upload of File with Dangerous Type), enables attackers to upload a crafted kernel module, resulting in arbitrary code execution on the device. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Attackers with low privileges, such as authenticated users, can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Exploitation involves uploading a malicious kernel module via the affected CGI endpoint, achieving arbitrary code execution with high impacts on confidentiality, integrity, and availability, potentially leading to full device compromise.

Vendor advisories and security researcher publications, including those on the Draytek website (http://draytek.com) and a Medium post by Faraday Labs (https://medium.com/faraday/advisory-multiple-vulnerabilities-affecting-draytek-routers-78a6cb8b3946), recommend updating to the specified patched firmware versions for each affected model to mitigate the vulnerability.