CVE-2024-41338 Overview
CVE-2024-41338 is a NULL pointer dereference vulnerability [CWE-476] affecting a broad range of DrayTek Vigor router and gateway models. A remote, unauthenticated attacker can trigger a Denial of Service (DoS) condition by sending a crafted Dynamic Host Configuration Protocol (DHCP) request to a vulnerable device. The flaw impacts widely deployed small office and enterprise gateways, including the Vigor 165/166, 2620/LTE200, 2860/2925, 2862/2926, 2133/2762/2832, 2135/2765/2766, 2865/2866/2927, 2962/3910, and 3912 series. Successful exploitation crashes the device's DHCP service and disrupts network availability for downstream clients.
Critical Impact
An unauthenticated network attacker can crash DrayTek Vigor routers via a single malformed DHCP request, causing service outages across LAN segments.
Affected Products
- DrayTek Vigor 165/166 prior to v4.2.6 and Vigor 2620/LTE200 prior to v3.9.8.8
- DrayTek Vigor 2860/2925 prior to v3.9.7, Vigor 2862/2926 prior to v3.9.9.4, and Vigor 2133/2762/2832 prior to v3.9.8
- DrayTek Vigor 2135/2765/2766 prior to v4.4.5.1, Vigor 2865/2866/2927 prior to v4.4.5.3, Vigor 2962/3910 prior to v4.3.2.7, and Vigor 3912 prior to v4.3.5.2
Discovery Timeline
- 2025-02-27 - CVE-2024-41338 published to NVD
- 2025-06-03 - Last updated in NVD database
Technical Details for CVE-2024-41338
Vulnerability Analysis
The vulnerability resides in the DHCP request handling logic of DrayTek's Vigor firmware. When the device parses a crafted DHCP packet, the code dereferences a pointer that has not been validated against NULL. The resulting access to an invalid memory address terminates the responsible process and disrupts service availability on the router.
The attack requires no authentication and no user interaction. Because DHCP is a foundational LAN service, the crash propagates immediately to client provisioning, breaking DHCP lease renewal and new client onboarding across affected network segments.
Root Cause
The defect is a missing validation check on a pointer used during DHCP message parsing, classified under [CWE-476] NULL Pointer Dereference. The firmware processes attacker-controlled fields without confirming that referenced data structures were successfully allocated or populated before access.
Attack Vector
An attacker on the same broadcast domain, or on any network path where DHCP traffic can reach the device, transmits a malformed DHCP request. The crafted packet drives the vulnerable parser down a code path where the unchecked pointer is dereferenced. The Vigor device then enters a faulted state, halting DHCP and potentially related router functions until restart.
Technical details on the affected router family are documented in the Faraday Medium advisory on multiple DrayTek router vulnerabilities and the DrayTek official website.
Detection Methods for CVE-2024-41338
Indicators of Compromise
- Unexpected DHCP service crashes, reboots, or watchdog-triggered restarts on DrayTek Vigor devices
- Sudden loss of DHCP lease issuance to LAN clients followed by router instability
- Anomalous or malformed DHCP DISCOVER/REQUEST packets observed in network captures targeting the gateway
Detection Strategies
- Inspect router syslog output for repeated process crashes, segmentation faults, or DHCP daemon restarts correlated with inbound DHCP traffic
- Deploy network intrusion detection signatures that flag DHCP packets with malformed options, oversized fields, or non-conforming structure
- Baseline DHCP request volumes per source MAC and alert on unusual bursts targeting the Vigor management interface
Monitoring Recommendations
- Forward DrayTek syslog events to a centralized logging or SIEM platform and alert on repeated DHCP service failures
- Capture LAN packet samples at the gateway to retain forensic evidence of crafted DHCP requests for incident review
- Track device uptime metrics via SNMP and alert on unexpected reboots that align with DHCP traffic anomalies
How to Mitigate CVE-2024-41338
Immediate Actions Required
- Upgrade affected DrayTek Vigor devices to the fixed firmware version listed for each model in the vendor advisory
- Restrict DHCP service exposure to trusted LAN segments and block DHCP traffic from untrusted VLANs or guest networks
- Inventory all DrayTek Vigor hardware in the environment and confirm firmware versions against the patched baselines
Patch Information
DrayTek has released fixed firmware for each affected model: Vigor 165/166 v4.2.6, Vigor 2620/LTE200 v3.9.8.8, Vigor 2860/2925 v3.9.7, Vigor 2862/2926 v3.9.9.4, Vigor 2133/2762/2832 v3.9.8, Vigor 2135/2765/2766 v4.4.5.1, Vigor 2865/2866/2927 v4.4.5.3, Vigor 2962/3910 v4.3.2.7, and Vigor 3912 v4.3.5.2. Administrators should download the appropriate firmware from the DrayTek official website and apply it during a maintenance window. The Vigor 2925 series up to v3.9.6 is also affected and should be updated to the latest supported version.
Workarounds
- Segment the network so that only authenticated, trusted hosts can transmit DHCP traffic toward the Vigor gateway
- Enable DHCP snooping on upstream managed switches to drop malformed or rogue DHCP messages before they reach the router
- Disable the DHCP server feature on the Vigor device if an alternative DHCP server can be used until firmware is updated
# Example: restrict DHCP traffic on an upstream switch interface
# (apply on switch ports facing untrusted clients)
interface GigabitEthernet0/1
ip dhcp snooping limit rate 10
no ip dhcp snooping trust
exit
ip dhcp snooping vlan 10
ip dhcp snooping
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
