CVE-2024-41334

Name of the Vulnerable Software and Affected Versions Draytek Vigor 165/166 versions prior to 4.2.6 Draytek Vigor 2620/LTE200 versions prior to 3.9.8.8 Draytek Vigor 2860/2925 versions prior to 3.9.7 Draytek Vigor 2862/2926 versions prior to 3.9.9.4 Draytek Vigor 2133/2762/2832 versions prior to 3.9.8 Draytek Vigor 2135/2765/2766 versions prior to 4.4.5.1 Draytek Vigor 2865/2866/2927 versions prior to 4.4.5.3 Draytek Vigor 2962/3910 versions prior to 4.3.2.7 Draytek Vigor 3912 versions prior to 4.3.5.2 Draytek Vigor 2925 versions up to 3.9.6

Description The issue allows attackers to upload crafted APPE modules from non-official servers, leading to arbitrary code execution, as the devices do not utilize certificate verification.

Recommendations For Draytek Vigor 165/166 versions prior to 4.2.6, update to version 4.2.6 or later. For Draytek Vigor 2620/LTE200 versions prior to 3.9.8.8, update to version 3.9.8.8 or later. For Draytek Vigor 2860/2925 versions prior to 3.9.7, update to version 3.9.7 or later. For Draytek Vigor 2862/2926 versions prior to 3.9.9.4, update to version 3.9.9.4 or later. For Draytek Vigor 2133/2762/2832 versions prior to 3.9.8, update to version 3.9.8 or later. For Draytek Vigor 2135/2765/2766 versions prior to 4.4.5.1, update to version 4.4.5.1 or later. For Draytek Vigor 2865/2866/2927 versions prior to 4.4.5.3, update to version 4.4.5.3 or later. For Draytek Vigor 2962/3910 versions prior to 4.3.2.7, update to version 4.3.2.7 or later. For Draytek Vigor 3912 versions prior to 4.3.5.2, update to version 4.3.5.2 or later. For Draytek Vigor 2925 versions up to 3.9.6, update to version 3.9.7 or later.