LiveActive security incident?Get immediate response
CVE Record

CVE-2024-41334: Draytek devices Vigor 165/166 prior to v4.2.6 , Vigor 2620/LTE200 prior to v3.9.8.8, Vigor 2860/2925 prior...

Draytek devices Vigor 165/166 prior to v4.2.6 , Vigor 2620/LTE200 prior to v3.9.8.8, Vigor 2860/2925 prior to v3.9.7, Vigor 2862/2926 prior to v3.9.9.4, Vigor 2133/2762/2832 prior to v3.9.8, Vigor 2135/2765/2766 prior to v4.4.5.1, Vigor 2865/2866/2927 prior to v4.4.5.3, Vigor 2962/3910 prior to v4.3.2.7, Vigor 3912 prior to v4.3.5.2, and Vigor 2925 up to v3.9.6 were discovered to not utilize certificate verification, allowing attackers to upload crafted APPE modules from non-official servers, leading to arbitrary code execution.

HighCVSS 8.8Not KEV-listedUpdated
Glexia's TakeAutomated analysishigh

Security readout for executives and security teams

Plain-English summary

This flaw affects multiple Draytek Vigor router lines. The devices did not verify certificates when obtaining APPE modules, so an attacker could provide a crafted module from a non-official server and achieve arbitrary code execution. That creates a serious risk for edge network devices that often sit directly in front of business networks.

Executive priority

Prioritize this as a high-risk edge-device issue. Compromise of a router can affect traffic visibility, network integrity, and availability. Remediation should focus first on exposed or remotely administered Draytek devices running vulnerable firmware.

Technical view

CVE-2024-41334 is a CWE-295 certificate verification failure in listed Draytek Vigor firmware versions. The CVSS 3.1 score is 8.8, with network attack vector, low attack complexity, low privileges required, no user interaction, and high confidentiality, integrity, and availability impact.

Likely exposure

Exposure is most likely where listed Draytek Vigor models run firmware below the fixed versions named in the CVE description, including Vigor 165/166, 2620/LTE200, 2860/2925, 2862/2926, 2133/2762/2832, 2135/2765/2766, 2865/2866/2927, 2962/3910, and 3912 families.

Exploitation context

The provided sources describe arbitrary code execution through crafted APPE modules from non-official servers. The CVE is not marked KEV in the bundle, and no cited source in the bundle confirms active exploitation. Treat internet-facing or remotely managed devices as higher priority.

Researcher notes

The key weakness is missing certificate verification during APPE module handling. The bundle gives affected model and firmware thresholds, CVSS metadata, CWE-295 classification, and one public advisory reference, but it does not include proof of active exploitation or detailed vendor remediation text.

Mitigation direction

  • Identify all Draytek Vigor devices and record exact model and firmware version.
  • Upgrade affected models to the fixed firmware versions named in the CVE description.
  • Check Draytek or vendor guidance for model-specific remediation details.
  • Restrict administrative access to trusted networks and accounts.
  • Review device configuration for unauthorized module or firmware changes.

Validation and detection

  • Compare deployed firmware against each affected version threshold in the CVE description.
  • Confirm whether APPE module functionality is enabled or used on managed devices.
  • Review logs for unexpected module downloads, firmware changes, or administrator activity.
  • Verify management interfaces are not unnecessarily exposed to untrusted networks.
  • Document remediated devices and exceptions for follow-up tracking.
Prepared
Confidence
medium
Sources
3

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-295: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
description · low confidence lookup

Execution behavior lookup

The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2024-41334 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
High
CVSS
8.8 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
3Timeline events
1ADP providers
2Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: total

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
8.8CVSS 3.1HighCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H2.85.9CISA-ADP

Vulnerability scoring details

Base CVSS 3.1 score

8.8High
CVSS 3.1 vector shape for CVE-2024-41334Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
cvssV3_1other:ssvc
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
n/an/an/aListed
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.