cbcvebase.
CVE-2024-51139
published 2025-02-27

CVE-2024-51139: Buffer Overflow vulnerability in Vigor2620/LTE200 3.9.8.9 and earlier and Vigor2860/2925 3.9.8 and earlier and Vigor2862/2926 3.9.9.5 and earlier and…

PriorityP356critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.08%
60.8th percentile
Buffer Overflow vulnerability in Vigor2620/LTE200 3.9.8.9 and earlier and Vigor2860/2925 3.9.8 and earlier and Vigor2862/2926 3.9.9.5 and earlier and Vigor2133/2762/2832 3.9.9 and earlier and Vigor165/166 4.2.7 and earlier and Vigor2135/2765/2766 4.4.5.1 and earlier and Vigor2865/2866/2927 4.4.5.3 and earlier and Vigor2962/3910 4.3.2.8/4.4.3.1 and earlier and Vigor3912 4.3.6.1 and earlier allows a remote attacker to execute arbitrary code via the CGI parser's handling of the "Content-Length" header of HTTP POST requests.

Affected

25 ranges
VendorProductVersion rangeFixed in
draytekvigor1000b_firmware< 4.4.3.24.4.3.2
draytekvigor2133_firmware< 3.9.9.23.9.9.2
draytekvigor2135_firmware< 4.4.5.54.4.5.5
draytekvigor2620_firmware< 3.9.9.13.9.9.1
draytekvigor2762_firmware< 3.9.9.23.9.9.2
draytekvigor2763_firmware< 4.4.5.54.4.5.5
draytekvigor2765_firmware< 4.4.5.54.4.5.5
draytekvigor2766_firmware< 4.4.5.54.4.5.5
draytekvigor2832_firmware< 3.9.9.23.9.9.2
draytekvigor2860_firmware< 3.9.8.33.9.8.3
draytekvigor2862_firmware< 3.9.9.83.9.9.8
draytekvigor2865_firmware< 4.4.5.84.4.5.8
draytekvigor2866_firmware< 4.4.5.84.4.5.8
draytekvigor2915_firmware< 4.4.54.4.5
draytekvigor2925_firmware< 3.9.8.33.9.8.3
draytekvigor2926_firmware< 3.9.9.83.9.9.8
draytekvigor2927_firmware< 4.4.5.84.4.5.8
draytekvigor2952_firmware< 3.9.8.53.9.8.5
draytekvigor2962_firmware< 4.3.2.94.3.2.9
draytekvigor2962_firmware>= 4.4.3 < 4.4.3.24.4.3.2
draytekvigor3220_firmware< 3.9.8.53.9.8.5
draytekvigor3910_firmware< 4.3.2.94.3.2.9
draytekvigor3910_firmware>= 4.4.3 < 4.4.3.24.4.3.2
draytekvigor3912_firmware< 4.4.3.24.4.3.2
draytekvigorlte200_firmware< 3.9.9.13.9.9.1
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.