We are writing to inform you about critical security vulnerabilities discovered in several DrayTek products on June 20, 2024. These vulnerabilities include Cross-Site Scripting, Denial of Service, and Remote Code Execution issues. We have addressed these concerns and released firmware updates to enhance security.
Vulnerability Details:
- Published Date: 2024/10/4
- CVE IDs: CVE-2024-41583 to CVE-2024-41596
- Types: Cross-Site Scripting, Denial of Service, Remote Code Execution
CVE number CVSS CVE-2024-41583 4.7 CVE-2024-41584 4.7 CVE-2024-41585 6.8 CVE-2024-41586 8 CVE-2024-41587 5.4 CVE-2024-41588 8 CVE-2024-41589 8.8 CVE-2024-41590 8 CVE-2024-41591 6.1 CVE-2024-41592 8 CVE-2024-41593 9.8 CVE-2024-41594 7.5 CVE-2024-41595 8 CVE-2024-41596 8
Urgent Action Required:
1. Upgrade your firmware immediately to the version listed below for your device.
2. Before upgrading:
- Back up your current configuration (System Maintenance > Config Backup).
- Use the ".ALL" file for upgrading to preserve your settings.
- If upgrading from an older version, review the release notes for specific instructions.
3. If remote access is enabled:
- Disable it unless absolutely necessary.
- Use an access control list (ACL) and enable 2FA if possible.
- For unpatched routers, disable both remote access (admin) and SSL VPN.
- Note: ACL doesn't apply to SSL VPN (Port 443), so temporarily disable SSL VPN until upgraded.
Affected Products and Fixed Firmware Versions:
- Vigor165 - 4.2.7
- Vigor166 - 4.2.7
- Vigor1000B - 4.3.2.8 4.4.3.2*
- Vigor2133 - 3.9.9
- Vigor2135 - 4.4.5.3
- Vigor2620 LTE - 3.9.8.9
- Vigor2762 - 3.9.9
- Vigor2763 - 4.4.5.3
- Vigor2765 - 4.4.5.3
- Vigor2766 - 4.4.5.3
- Vigor2832 - 3.9.9
- Vigor2860 / 2860 LTE - 3.9.8
- Vigor2862 / 2862 LTE - 3.9.9.5
- Vigor2865 / 2865 LTE - 4.4.5.2
- Vigor2866 / 2866 LTE - 4.4.5.2
- Vigor2915 - 4.4.3.2
- Vigor2925 / 2925 LTE - 3.9.8
- Vigor2926 / 2926 LTE - 3.9.9.5
- Vigor2927 / 2927 LTE / 2927L-5G - 4.4.5.5
- Vigor2952 / 2952 LTE - 3.9.8.2
- Vigor2962 - 4.3.2.8 4.4.3.1
- Vigor3220n - 3.9.8.2
- Vigor3910 - 4.3.2.8 4.4.3.1
- Vigor3912 - 4.3.6.1
*Firmware unreleased
Additional Security Measures:
- Regularly check for and apply firmware updates.
- Implement strong, unique passwords for all accounts.
- Enable and configure firewall settings appropriately.
- Monitor your network for any suspicious activities.
Next Steps:If you haven't already, please update your device immediately. For products with unreleased firmware (marked with *), please stay vigilant for our upcoming announcements and update promptly once available.
Should you need any assistance with the update process or have security-related inquiries, please don't hesitate to contact our Technical Support team.
We appreciate your prompt attention to this critical security matter and thank you for your continued trust in DrayTek products.
Best regards, DrayTek Security Team
