Subscribe to GEN
Login to GEN
Add a Comment
On April 11th 2024, Draytek were made aware of a number of vulnerabilities in their Draytek Vigor range of routers, including Denial of Service (DDoS), Information disclosure, and Code Execution (RCE). Draytek have addressed these issues in firmware, and users MUST upgrade to the latest safe version, or preferably the latest version.
CVE-2024-41334 CVE-2024-41335 CVE-2024-41336 CVE-2024-41338 CVE-2024-41339 CVE-2024-41340
ALWAYS ENSURE YOUR NETWORKING HARDWARE IS RUNNING UP TO DATE FIRMWARE
| Router Model | Safe Firmware Version |
|---|---|
| Vigor165 | 4.2.7 |
| Vigor166 | 4.2.7 |
| Vigor2133 | 3.9.9 |
| Vigor2135 | 4.4.5.3 |
| Vigor2620 LTE | 3.9.8.9 |
| Vigor2762 | 3.9.9 |
| Vigor2763 | 4.4.5.3 |
| Vigor2765 | 4.4.5.3 |
| Vigor2766 | 4.4.5.3 |
| Vigor2832 | 3.9.9 |
| Vigor2860 / 2860 LTE | 3.9.8 |
| Vigor2862 / 2862 LTE | 3.9.9.5 |
| Vigor2865 / 2865 LTE | 4.4.5.2 |
| Vigor2866 / 2866 LTE | 4.4.5.2 |
| Vigor2915 | 4.4.3.2 |
| Vigor2925 / 2925 LTE | 3.9.8 |
| Vigor2926 / 2926 LTE | 3.9.9.5 |
| Vigor2927 / 2927 LTE / 2927L-5G | 4.4.5.5 |
| Vigor2952 / 2952 LTE | 3.9.8.2 |
| Vigor3220n | 3.9.8.2 |
| Vigor1000B | 4.3.2.8 |
| Vigor2962 | 4.3.2.8 / 4.4.3.1 |
| Vigor3910 | 4.3.2.8 / 4.4.3.1 |
| Vigor3912 | 4.3.6.1 |
DO NOT attempt to update affected devices remotely, they can be forced to reboot due to online DoS/RCE and this will break the firmware upgrade in some cases rendering the router dead, requiring a replacement or TFTP firmware provisioning locally.
If you are unable to update the device firmware, CVE-2024-51138/9 can be somewhat mitigated by
However, it is strongly recommended to update the firmware ASAP. This in most cases simply means flashing the .all firmware file specific to your router, but if that fails repeatedly, then you will need to factory reset, flash and then reconfigure.
Customers with 2830 who are having issues, do not have a firmware patch available since these models were EOL in 2020. You *should* upgrade to the 2865, but disabling remote management, and SSL VPN should mitigate the issue.
In some cases the router isn't sufficiently stable to use the web interface, with the router rebooting before you can login or make any changes. In this case, telnet/ssh can be used. The actual command to telnet/ssh into the router varies by operating system, and the commands on the router to disable VPN and remote management also vary by model, so you will need to research this, or book time at the HelpDesk.
Well, it didn't and anyone reporting this is plain wrong. Draytek provided patched firmware fixing these CVEs between August and September 2024. These vulnerabilities are complex, hard to exploit, and affect a wide selection of hardware. Draytek likely had to rewrite large amounts of code to mitigate them fully and then there would have been extensive testing before public release.
It is VITALLY IMPORTANT that service providers maintain their Draytek Hardware with the latest firmware. GEN patch all our managed routers within the first 48 hours of a firmware release that contains security fixes to ensure the stability of our base, but not everyone does this judging by the support cases hitting the HelpDesk recently. PLEASE keep your firmware up to date, it only takes a few minutes and can save hours of downtime.
If you are experiencing issues and need assistance urgently, visit the HelpDesk and we will help. It isn't free, but it's professional, fast and efficient.
Alex Romanov
· 2025-03-26 10:16 UTC
With GENs help we got our two 2866s back up and running again. We had to disconnect it from the internet, power it off and on, then firmware upgrade and after that we are back online.
--- This content is not legal or financial advice & Solely the opinions of the author ---
Ian Walker · 2025-03-26 11:21 UTC
Thank you!