CVE-2024-41334: Draytek devices Vigor 165/166 prior to v4.2.6 , Vigor 2620/LTE200 prior to v3.9.8.8, Vigor 2860/2925 prior...
Draytek devices Vigor 165/166 prior to v4.2.6 , Vigor 2620/LTE200 prior to v3.9.8.8, Vigor 2860/2925 prior to v3.9.7, Vigor 2862/2926 prior to v3.9.9.4, Vigor 2133/2762/2832 prior to v3.9.8, Vigor 2135/2765/2766 prior to v4.4.5.1, Vigor 2865/2866/2927 prior to v4.4.5.3, Vigor 2962/3910 prior to v4.3.2.7, Vigor 3912 prior to v4.3.5.2, and Vigor 2925 up to v3.9.6 were discovered to not utilize certificate verification, allowing attackers to upload crafted APPE modules from non-official servers, leading to arbitrary code execution.
Security readout for executives and security teams
Plain-English summary
This flaw affects multiple Draytek Vigor router lines. The devices did not verify certificates when obtaining APPE modules, so an attacker could provide a crafted module from a non-official server and achieve arbitrary code execution. That creates a serious risk for edge network devices that often sit directly in front of business networks.
Executive priority
Prioritize this as a high-risk edge-device issue. Compromise of a router can affect traffic visibility, network integrity, and availability. Remediation should focus first on exposed or remotely administered Draytek devices running vulnerable firmware.
Technical view
CVE-2024-41334 is a CWE-295 certificate verification failure in listed Draytek Vigor firmware versions. The CVSS 3.1 score is 8.8, with network attack vector, low attack complexity, low privileges required, no user interaction, and high confidentiality, integrity, and availability impact.
Likely exposure
Exposure is most likely where listed Draytek Vigor models run firmware below the fixed versions named in the CVE description, including Vigor 165/166, 2620/LTE200, 2860/2925, 2862/2926, 2133/2762/2832, 2135/2765/2766, 2865/2866/2927, 2962/3910, and 3912 families.
Exploitation context
The provided sources describe arbitrary code execution through crafted APPE modules from non-official servers. The CVE is not marked KEV in the bundle, and no cited source in the bundle confirms active exploitation. Treat internet-facing or remotely managed devices as higher priority.
Researcher notes
The key weakness is missing certificate verification during APPE module handling. The bundle gives affected model and firmware thresholds, CVSS metadata, CWE-295 classification, and one public advisory reference, but it does not include proof of active exploitation or detailed vendor remediation text.
Mitigation direction
Identify all Draytek Vigor devices and record exact model and firmware version.
Upgrade affected models to the fixed firmware versions named in the CVE description.
Check Draytek or vendor guidance for model-specific remediation details.
Restrict administrative access to trusted networks and accounts.
Review device configuration for unauthorized module or firmware changes.
Validation and detection
Compare deployed firmware against each affected version threshold in the CVE description.
Confirm whether APPE module functionality is enabled or used on managed devices.
Review logs for unexpected module downloads, firmware changes, or administrator activity.
Verify management interfaces are not unnecessarily exposed to untrusted networks.
Document remediated devices and exceptions for follow-up tracking.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-295: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
1CVSS vectors
3Timeline events
1ADP providers
2Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: total
CVSS vector scores
1 official score
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.