CVE-2024-51139

CVE-2024-51139 is a buffer overflow vulnerability (CWE-120) affecting the CGI parser in multiple Draytek Vigor router models. It impacts Vigor2620/LTE200 firmware 3.9.8.9 and earlier, Vigor2860/2925 3.9.8 and earlier, Vigor2862/2926 3.9.9.5 and earlier, Vigor2133/2762/2832 3.9.9 and earlier, Vigor165/166 4.2.7 and earlier, Vigor2135/2765/2766 4.4.5.1 and earlier, Vigor2865/2866/2927 4.4.5.3 and earlier, Vigor2962/3910 4.3.2.8/4.4.3.1 and earlier, and Vigor3912 4.3.6.1 and earlier. The flaw arises from improper handling of the "Content-Length" header in HTTP POST requests, earning a CVSS v3.1 base score of 9.8 (Critical).

A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required. By sending a specially crafted HTTP POST request with a manipulated "Content-Length" header, the attacker triggers the buffer overflow in the CGI parser, enabling arbitrary code execution on the affected device. Successful exploitation grants high confidentiality, integrity, and availability impacts, potentially allowing full router compromise, such as backdoor installation or traffic redirection.

Vendor advisories and third-party reports, including those from Draytek at http://draytek.com and Faraday Labs at https://medium.com/faraday/advisory-multiple-vulnerabilities-affecting-draytek-routers-78a6cb8b3946, address this among multiple Draytek router vulnerabilities. Mitigation requires updating to firmware versions later than those listed as vulnerable, as patches are available from the vendor.