CVE-2024-51138: Vigor165/166 4.2.7 and earlier; Vigor2620/LTE200 3.9.8.9 and earlier; Vigor2860/2925 3.9.8 and earlier; Vig...
Vigor165/166 4.2.7 and earlier; Vigor2620/LTE200 3.9.8.9 and earlier; Vigor2860/2925 3.9.8 and earlier; Vigor2862/2926 3.9.9.5 and earlier; Vigor2133/2762/2832 3.9.9 and earlier; Vigor2135/2765/2766 4.4.5. and earlier; Vigor2865/2866/2927 4.4.5.3 and earlier; Vigor2962 4.3.2.8 and earlier; Vigor3912 4.3.6.1 and earlier; Vigor3910 4.4.3.1 and earlier a stack-based buffer overflow vulnerability has been identified in the URL parsing functionality of the TR069 STUN server. This flaw occurs due to insufficient bounds checking on the amount of URL parameters, allowing an attacker to exploit the overflow by sending a maliciously crafted request. Consequently, a remote attacker can execute arbitrary code with elevated privileges.
Security readout for executives and security teams
Plain-English summary
This CVE affects multiple DrayTek Vigor router firmware lines. A remote unauthenticated attacker may be able to trigger a stack buffer overflow in TR069 STUN URL parsing and run code with elevated privileges. For organizations using these routers, the business risk is potential perimeter device takeover.
Executive priority
Prioritize this as urgent for environments with affected DrayTek routers, especially perimeter or remotely managed devices. The issue is critical because compromise could give an attacker elevated control of network infrastructure, but active exploitation is not proven in the provided sources.
Technical view
CVE-2024-51138 is a CWE-121 stack-based buffer overflow in the TR069 STUN server URL parsing path. The CVE states insufficient bounds checking on URL parameters can allow a crafted network request to execute arbitrary code with elevated privileges. CVSS is 9.8, network attack vector, low complexity, no privileges, and no user interaction.
Likely exposure
Exposure is likely for DrayTek Vigor models and firmware versions listed in the CVE when the TR069 STUN server is reachable over the network. The bundle does not provide CPEs, asset-discovery rules, or a complete vendor patch matrix.
Exploitation context
The CVE record supports remote unauthenticated code execution potential, but the bundle does not cite active exploitation. It is not listed as CISA KEV in the provided data. Treat exploit availability and in-the-wild activity as unconfirmed from these sources.
Researcher notes
The provided bundle names affected DrayTek firmware branches but lists vendor/product/CPE fields as n/a. Analysis should rely on exact model and firmware matching from the description and advisory. Avoid assuming exploit status, patched versions, or service exposure beyond what local validation confirms.
Mitigation direction
Identify DrayTek Vigor models and firmware versions in the listed affected ranges.
Check DrayTek and the Faraday advisory for model-specific fixed firmware or mitigations.
Apply vendor-approved firmware updates where available for the exact model.
Restrict network reachability to TR-069/STUN and management services where operationally possible.
Monitor vendor advisories because the bundle does not include a complete fix matrix.
Validation and detection
Compare router model and firmware versions against the CVE description.
Confirm whether TR069 STUN functionality is enabled or reachable in each deployment.
Review perimeter firewall rules for untrusted access to router management-related services.
Check vulnerability scanner findings against the exact DrayTek model and firmware.
Document unsupported or unpatched devices for replacement or isolation decisions.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-121: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
1CVSS vectors
3Timeline events
1ADP providers
2Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: yesTechnical Impact: total
CVSS vector scores
1 official score
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-121 · source CWE mapping
Stack-based Buffer Overflow
Stack-based Buffer Overflow represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.