ID

VAR-202502-3343


CVE

CVE-2024-41339


TITLE

plural  DrayTek Corporation  Unrestricted Upload of Dangerous File Types Vulnerability in Products

Trust: 0.8

sources: JVNDB: JVNDB-2024-024541

DESCRIPTION

An issue in the CGI endpoint used to upload configurations in Draytek devices Vigor 165/166 prior to v4.2.6 , Vigor 2620/LTE200 prior to v3.9.8.8, Vigor 2860/2925 prior to v3.9.7, Vigor 2862/2926 prior to v3.9.9.4, Vigor 2133/2762/2832 prior to v3.9.8, Vigor 2135/2765/2766 prior to v4.4.5.1, Vigor 2865/2866/2927 prior to v4.4.5.3, Vigor 2962/3910 prior to v4.3.2.7, Vigor 3912 prior to v4.3.5.2, and Vigor 2925 up to v3.9.6 allows attackers to upload a crafted kernel module, allowing for arbitrary code execution. vigor165 firmware, vigor166 firmware, vigor2620 firmware etc. DrayTek Corporation The product contains an unrestricted file upload vulnerability of a dangerous type.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Trust: 1.62

sources: NVD: CVE-2024-41339 // JVNDB: JVNDB-2024-024541

AFFECTED PRODUCTS

vendor:draytekmodel:vigor166scope:ltversion:4.2.7

Trust: 1.0

vendor:draytekmodel:vigor2866scope:ltversion:4.4.5.3

Trust: 1.0

vendor:draytekmodel:vigor2860scope:ltversion:3.9.8

Trust: 1.0

vendor:draytekmodel:vigor2762scope:ltversion:3.9.9

Trust: 1.0

vendor:draytekmodel:vigor2766scope:ltversion:4.4.5.1

Trust: 1.0

vendor:draytekmodel:vigor2926scope:ltversion:3.9.9.5

Trust: 1.0

vendor:draytekmodel:vigor2832scope:ltversion:3.9.9

Trust: 1.0

vendor:draytekmodel:vigor2927scope:ltversion:4.4.5.3

Trust: 1.0

vendor:draytekmodel:vigor2862scope:ltversion:3.9.9.5

Trust: 1.0

vendor:draytekmodel:vigor2962scope:ltversion:4.3.2.8

Trust: 1.0

vendor:draytekmodel:vigor2765scope:ltversion:4.4.5.1

Trust: 1.0

vendor:draytekmodel:vigor2133scope:ltversion:3.9.9

Trust: 1.0

vendor:draytekmodel:vigor2620scope:ltversion:3.9.8.9

Trust: 1.0

vendor:draytekmodel:vigor2865scope:ltversion:4.4.5.3

Trust: 1.0

vendor:draytekmodel:vigor3910scope:eqversion:4.4.3

Trust: 1.0

vendor:draytekmodel:vigorlte200scope:ltversion:3.9.8.9

Trust: 1.0

vendor:draytekmodel:vigor2925scope:ltversion:3.9.8

Trust: 1.0

vendor:draytekmodel:vigor2135scope:ltversion:4.4.5.1

Trust: 1.0

vendor:draytekmodel:vigor165scope:ltversion:4.2.7

Trust: 1.0

vendor:draytekmodel:vigor3910scope:ltversion:4.3.2.8

Trust: 1.0

vendor:draytekmodel:vigor2962scope:eqversion:4.4.3.0

Trust: 1.0

vendor:draytekmodel:vigor3912scope:ltversion:4.3.6.1

Trust: 1.0

vendor:draytekmodel:vigor2832scope: - version: -

Trust: 0.8

vendor:draytekmodel:vigor2765scope: - version: -

Trust: 0.8

vendor:draytekmodel:vigor166scope: - version: -

Trust: 0.8

vendor:draytekmodel:vigor165scope: - version: -

Trust: 0.8

vendor:draytekmodel:vigor2133scope: - version: -

Trust: 0.8

vendor:draytekmodel:vigor2762scope: - version: -

Trust: 0.8

vendor:draytekmodel:vigor2926scope: - version: -

Trust: 0.8

vendor:draytekmodel:vigor2135scope: - version: -

Trust: 0.8

vendor:draytekmodel:vigor3910scope: - version: -

Trust: 0.8

vendor:draytekmodel:vigor2620scope: - version: -

Trust: 0.8

vendor:draytekmodel:vigor2866scope: - version: -

Trust: 0.8

vendor:draytekmodel:vigor2962scope: - version: -

Trust: 0.8

vendor:draytekmodel:vigor2925scope: - version: -

Trust: 0.8

vendor:draytekmodel:vigor2862scope: - version: -

Trust: 0.8

vendor:draytekmodel:vigor2860scope: - version: -

Trust: 0.8

vendor:draytekmodel:vigor2766scope: - version: -

Trust: 0.8

vendor:draytekmodel:vigor2927scope: - version: -

Trust: 0.8

vendor:draytekmodel:vigorlte200scope: - version: -

Trust: 0.8

vendor:draytekmodel:vigor2865scope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2024-024541 // NVD: CVE-2024-41339

CVSS

SEVERITY

CVSSV2

CVSSV3

134c704f-9b21-4f2e-91b3-4a467353bcc0: CVE-2024-41339
value: HIGH

Trust: 1.0

OTHER: JVNDB-2024-024541
value: HIGH

Trust: 0.8

134c704f-9b21-4f2e-91b3-4a467353bcc0: CVE-2024-41339
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

OTHER: JVNDB-2024-024541
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2024-024541 // NVD: CVE-2024-41339

PROBLEMTYPE DATA

problemtype:CWE-434

Trust: 1.0

problemtype:Unlimited uploads of dangerous types of files (CWE-434) [ others ]

Trust: 0.8

sources: JVNDB: JVNDB-2024-024541 // NVD: CVE-2024-41339

EXTERNAL IDS

db:NVDid:CVE-2024-41339

Trust: 2.6

db:JVNDBid:JVNDB-2024-024541

Trust: 0.8

sources: JVNDB: JVNDB-2024-024541 // NVD: CVE-2024-41339

REFERENCES

url:http://draytek.com

Trust: 1.8

url:https://medium.com/faraday/advisory-multiple-vulnerabilities-affecting-draytek-routers-78a6cb8b3946

Trust: 1.8

url:https://nvd.nist.gov/vuln/detail/cve-2024-41339

Trust: 0.8

sources: JVNDB: JVNDB-2024-024541 // NVD: CVE-2024-41339

SOURCES

db:JVNDBid:JVNDB-2024-024541
db:NVDid:CVE-2024-41339

LAST UPDATE DATE

2025-06-05T23:09:34.182000+00:00


SOURCES UPDATE DATE

db:JVNDBid:JVNDB-2024-024541date:2025-06-04T00:48:00
db:NVDid:CVE-2024-41339date:2025-06-03T13:52:39.957

SOURCES RELEASE DATE

db:JVNDBid:JVNDB-2024-024541date:2025-06-04T00:00:00
db:NVDid:CVE-2024-41339date:2025-02-27T21:15:36.837