CVE-2024-41340

An issue in Draytek devices Vigor 165/166 prior to v4.2.6 , Vigor 2620/LTE200 prior to v3.9.8.8, Vigor 2860/2925 prior to v3.9.7, Vigor 2862/2926 prior to v3.9.9.4, Vigor 2133/2762/2832 prior to v3.9.8, Vigor 2135/2765/2766 prior to v4.4.5.1, Vigor 2865/2866/2927 prior to v4.4.5.3, Vigor 2962/3910 prior to v4.3.2.7, Vigor 3912 prior to v4.3.5.2, and Vigor 2925 up to v3.9.6 allows attackers to upload crafted APP Enforcement modules, leading to arbitrary code execution.

CVSS v3 8.4 HIGH

8.4^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.5 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
http://draytek.com
https://medium.com/faraday/advisory-multiple-vulnerabilities-affecting-draytek-routers-78a6cb8b3946

Configurations

No configuration.

History

28 Feb 2025, 22:15

Type	Values Removed	Values Added
CWE		CWE-434
Summary		(es) Un problema en los dispositivos Draytek Vigor 165/166 anteriores a la v4.2.6, Vigor 2620/LTE200 anteriores a la v3.9.8.8, Vigor 2860/2925 anteriores a la v3.9.7, Vigor 2862/2926 anteriores a la v3.9.9.4, Vigor 2133/2762/2832 anteriores a la v3.9.8, Vigor 2135/2765/2766 anteriores a la v4.4.5.1, Vigor 2865/2866/2927 anteriores a la v4.4.5.3, Vigor 2962/3910 anteriores a la v4.3.2.7, Vigor 3912 anteriores a la v4.3.5.2 y Vigor 2925 hasta la v3.9.6 permite a los atacantes cargar aplicaciones manipuladas por ellos. Módulos de cumplimiento que conducen a la ejecución de código arbitrario.
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.4

27 Feb 2025, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-02-27 21:15

Updated : 2025-02-28 22:15

NVD link : CVE-2024-41340

Mitre link : CVE-2024-41340

CVE.ORG link : CVE-2024-41340

JSON object : View

Products Affected

No product.

CWE

CWE-434

Unrestricted Upload of File with Dangerous Type

8.4 /10