Original article ISPreview UK:Read More
Customers of DrayTek‘s popular broadband routers, which are a familiar name in the UK ISP world, have this week been notified about two recently published security vulnerabilities in several of their products – both of which have a Common Vulnerability Score (CVSS) of 9.8 out of 10. But don’t worry, new firmware already exists to patch them.
In security terms, the past few months have been rather bumpy for DrayTek, which took a hit late last year after Forescout Research identified 14 security vulnerabilities in 24 models of their popular Vigor routers (here). The latest development is that several new critical security vulnerabilities have impacted the company’s routers, which were only published at the end of February 2025 after being discovered on 9th October 2024.
The first one, CVE-2024-51138, reflects a Stack-based buffer overflow in the TR069 STUN server that may allow remote code execution with elevated privileges. The second one, CVE-2024-51139, is another type of Buffer Overflow exploit – in multiple Vigor routers – that allows remote code execution via HTTP POST requests. Thanks to Fred for the news tip.
The good news is that DrayTek patched these by releasing new firmware versions around November 2024 (depending on model), although they’ve only now begun contacting customers on their mailing list to urge them to “upgrade your firmware immediately“. The company also posted a related notice on their website last week (here).
DrayTek’s Email Notice
If remote access is enabled:
➤ Disable it unless absolutely necessary.
➤ Use an access control list (ACL) and enable 2FA if possible.
➤ For unpatched routers, disable both remote access (admin) and SSL VPN.
➤ Note: ACL doesn’t apply to SSL VPN (Port 443), so temporarily disable SSL VPN until upgraded.Affected Products and Fixed Firmware Versions:
Vigor2620 LTE – 3.9.9.1
VigorLTE 200n – 3.9.9.1
Vigor2133 – 3.9.9.2
Vigor2135 – 4.4.5.5
Vigor2762 – 3.9.9.2
Vigor2765 – 4.4.5.5
Vigor2766 – 4.4.5.5
Vigor2832 – 3.9.9.2
Vigor2860 / 2860 LTE – 3.9.8.3
Vigor2862 / 2862 LTE – 3.9.9.8
Vigor2865 / 2865 LTE / 2865L-5G – 4.4.5.8
Vigor2866 / 2866 LTE – 4.4.5.8
Vigor2925 / 2925 LTE – 3.9.8.3
Vigor2926 / 2926 LTE – 3.9.9.8
Vigor2927 / 2927 LTE / 2927L-5G – 4.4.5.8
Vigor2962 – 4.3.2.9 – 4.4.3.2
Vigor3910 – 4.3.2.9 / 4.4.3.2
Vigor3912 – 4.3.6.2 / 4.4.3.2
DrayTek has since thanked the Faraday Security Research team, which has posted more details about the issues online (here), for their “efforts in security testing and timely reporting the vulnerability“.