CVE-2024-41592

Name of the Vulnerable Software and Affected Versions: DrayTek Vigor3910 devices through 4.3.2.6

Description: The issue is a stack-based overflow when processing query string parameters because GetCGI mishandles extraneous ampersand characters and long key-value pairs. This can be exploited by sending a specially crafted HTTP request, potentially allowing an attacker to execute arbitrary code. The vulnerability is being actively exploited.

Recommendations: For DrayTek Vigor3910 devices through 4.3.2.6, consider disabling the GetCGI function until a patch is available to prevent exploitation. Restrict access to the vulnerable module to minimize the risk of exploitation. Avoid using the query string parameters in the affected API endpoint until the issue is resolved. Update to a newer version that contains a fix for this issue once it becomes available.