CVE CyberSecurity Database News

CVE-2024-51138 - Remote Code Execution in DrayTek Vigor Routers via TR-069 STUN URL Parsing (Exploit and Technical Deep-Dive)

Poster -

---

A new critical vulnerability, CVE-2024-51138, has been identified in several popular DrayTek Vigor router models (source). This security flaw could let a remote hacker gain control of your network device — and even execute arbitrary code with high privileges — simply by sending a specially crafted request to the router's TR-069/STUN management service.

In this post, we’ll break down what’s really happening, see how the exploit works, and talk about ways to keep your business or home safe.

What Routers are Vulnerable?

The vulnerability affects a wide range of DrayTek Vigor series routers and firmware versions, including:

- Vigor165/166: 4.2.7 and earlier
- Vigor262/LTE200: 3.9.8.9 and earlier
- Vigor286/2925: 3.9.8 and earlier
- Vigor2862/2926: 3.9.9.5 and earlier
- Vigor2133/2762/2832: 3.9.9 and earlier
- Vigor2135/2765/2766: 4.4.5 and earlier
- Vigor2865/2866/2927: 4.4.5.3 and earlier

Vigor3912: 4.3.6.1 and earlier

DrayTek’s Vigor routers are widely used by businesses and advanced home users for reliable, high-speed networking.

Vulnerability Overview

CVE-2024-51138 is a stack-based buffer overflow in DrayTek’s TR-069/STUN URL parsing functionality.

STUN: Used to assist devices behind NATs or firewalls communicate for remote management.

The flaw occurs because the router’s firmware does not properly check how many URL parameters a client has sent. If an attacker sends a maliciously crafted request with too many parameters, it can force the router’s software to overwrite its own stack memory — leading to a buffer overflow.

This overflow can let a skilled attacker inject and run commands with root (administrator) privileges.

In plain language: A hacker could take over your router — change your settings, set up spyware, or intercept your traffic.

Normally, the TR-069 service on the router receives a management URL like

http://router-ip:port/cgi-bin/activate?param1=test&param2=foo

The router’s firmware parses each parameter. But in vulnerable firmware, the code fails to limit the number or size of parsed parameters, leading to stack memory corruption.

Vulnerable Code Example (Pseudocode)

void parse_url_params(char *uri) {
    char params[10][64];
    int i = ;
    char *token = strtok(uri, "&");

    // No check here for max number of parameters!
    while(token != NULL) {
        strcpy(params[i], token);  // <-- Dangerous: No overflow check
        token = strtok(NULL, "&");
        i++;
    }
}

In the example above

- If an attacker sends more than 10 URL parameters, params[i] starts corrupting adjacent memory on the stack.
- With careful construction, a hacker can control return addresses, inject code, and redirect execution.

Exploit Proof-of-Concept

Warning: This information is for educational purposes only. Do not use in unauthorized settings.

Here is a Python script that demonstrates how an attacker might trigger the overflow

import requests

target = "http://<router_ip>:<port>/cgi-bin/activate?";

# Create a malicious URL with a large number of parameters
payload = "&".join(["A=x" for _ in range(100)])

url = target + payload
response = requests.get(url)

print("Sent exploit, response code:", response.status_code)

A real exploit would craft the payload to overwrite parts of memory needed to inject code.

If affected, update to the latest firmware immediately.

- DrayTek has released patches for all known vulnerable versions. See DrayTek Security Advisories for details.
3. Block external access to TR-069 (ACS/STUN) if not required!

References and Further Reading

- NIST NVD: CVE-2024-51138
- DrayTek Security Advisory - Multiple models
- TR-069 Protocol Overview

Conclusion

CVE-2024-51138 is a critical bug that could put your network at risk, even from far away. If you’re using any of the affected DrayTek models, update your firmware and review your remote management settings as soon as possible. Failing to do so can leave your network open to full remote takeover.

Always stay up to date & monitor vendor security pages. If you need help, ask your IT provider or network administrator.

Timeline

Published on: 02/27/2025 21:15:37 UTC
Last modified on: 02/28/2025 22:15:39 UTC