The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2024-51138

CVE-2024-51138: Draytek Vigor3912 Buffer Overflow Flaw

CVE-2024-51138 is a stack-based buffer overflow vulnerability in Draytek Vigor3912 firmware's TR069 STUN server that enables remote attackers to execute arbitrary code. This article covers technical details, affected versions, impact, and mitigation strategies.

Published: April 8, 2026

CVE-2024-51138 Overview

CVE-2024-51138 is a critical stack-based buffer overflow vulnerability affecting multiple DrayTek Vigor router models. The vulnerability exists in the URL parsing functionality of the TR069 STUN server component. Due to insufficient bounds checking on URL parameters, an attacker can send a maliciously crafted request to trigger a buffer overflow condition, enabling remote code execution with elevated privileges.

DrayTek routers are widely deployed in small-to-medium business (SMB) environments and branch offices, making this vulnerability particularly concerning for enterprise network security. The TR069 (Technical Report 069) protocol is commonly used for remote device management by ISPs and managed service providers, which increases the attack surface for internet-facing devices.

Critical Impact

Remote attackers can achieve arbitrary code execution with elevated privileges on affected DrayTek routers without authentication, potentially compromising entire network segments.

Affected Products

  • DrayTek Vigor165/166 firmware version 4.2.7 and earlier
  • DrayTek Vigor2620/LTE200 firmware version 3.9.8.9 and earlier
  • DrayTek Vigor2860/2925 firmware version 3.9.8 and earlier
  • DrayTek Vigor2862/2926 firmware version 3.9.9.5 and earlier
  • DrayTek Vigor2133/2762/2832 firmware version 3.9.9 and earlier
  • DrayTek Vigor2135/2765/2766 firmware version 4.4.5 and earlier
  • DrayTek Vigor2865/2866/2927 firmware version 4.4.5.3 and earlier
  • DrayTek Vigor2962 firmware version 4.3.2.8 and earlier
  • DrayTek Vigor3912 firmware version 4.3.6.1 and earlier
  • DrayTek Vigor3910 firmware version 4.4.3.1 and earlier

Discovery Timeline

  • 2025-02-27 - CVE-2024-51138 published to NVD
  • 2025-05-28 - Last updated in NVD database

Technical Details for CVE-2024-51138

Vulnerability Analysis

This vulnerability is classified as CWE-121 (Stack-based Buffer Overflow), a memory corruption issue where data written to a stack-allocated buffer exceeds its boundaries and overwrites adjacent memory. The flaw resides specifically in the TR069 STUN (Session Traversal Utilities for NAT) server component, which handles URL parsing for remote management operations.

The TR069 protocol allows ISPs and administrators to remotely configure, monitor, and update router firmware. The STUN server component processes incoming connection requests and parses URL parameters to establish management sessions. When the URL parsing function receives a request with an excessive number of parameters, the lack of proper boundary validation allows an attacker to overflow the stack buffer.

Successful exploitation enables remote code execution in the context of the TR069 service, which typically runs with root or elevated system privileges on embedded devices. This grants attackers complete control over the compromised router, including the ability to intercept network traffic, pivot to internal network resources, modify DNS settings for man-in-the-middle attacks, or establish persistent backdoors.

Root Cause

The root cause of CVE-2024-51138 is insufficient bounds checking in the URL parsing functionality of the TR069 STUN server. The vulnerable code fails to validate the total number and length of URL parameters before copying them into a fixed-size stack buffer. When an attacker supplies a request with excessive parameters, the parsing routine writes beyond the allocated buffer space, corrupting stack memory including saved return addresses and potentially other critical data structures.

This type of vulnerability is common in embedded systems and firmware where memory-constrained environments often lead developers to use fixed-size buffers without adequate input validation. The lack of modern memory protection mechanisms (such as ASLR or stack canaries) on many embedded router platforms further increases exploitability.

Attack Vector

The attack vector for this vulnerability is network-based and requires no authentication. An attacker can exploit this vulnerability by sending specially crafted HTTP requests to the TR069 STUN server endpoint. The attack flow involves:

  1. Identifying a vulnerable DrayTek router with the TR069 service accessible (often exposed on WAN interfaces by default or enabled by ISPs)
  2. Crafting a malicious request containing an excessive number of URL parameters designed to overflow the stack buffer
  3. Overwriting the saved return address on the stack with a pointer to attacker-controlled shellcode or ROP gadgets
  4. Gaining arbitrary code execution when the vulnerable function returns

The vulnerability is particularly dangerous because TR069 services may be exposed to the internet for legitimate remote management purposes, providing a direct attack path from external networks. No user interaction is required for exploitation.

Detection Methods for CVE-2024-51138

Indicators of Compromise

  • Unexpected outbound connections from DrayTek routers to unknown IP addresses
  • Abnormal HTTP/HTTPS traffic patterns targeting TR069 or STUN-related endpoints on router management interfaces
  • Modified router configuration without authorized administrative changes (DNS settings, firewall rules, port forwarding)
  • Unusual process activity or memory consumption on affected devices if logging is available
  • Evidence of malicious firmware modifications or persistent backdoor implants

Detection Strategies

  • Monitor network traffic for unusually large HTTP requests targeting DrayTek router management interfaces, particularly requests with excessive URL parameters
  • Implement intrusion detection signatures for stack-based buffer overflow exploitation attempts against TR069/STUN services
  • Deploy network-based monitoring to detect exploitation attempts containing shellcode patterns or ROP chains in URL parameters
  • Review router access logs for anomalous management connections from unexpected source IP addresses

Monitoring Recommendations

  • Enable and centralize logging for all DrayTek router management interface access attempts
  • Configure alerts for configuration changes on DrayTek devices, especially DNS, firewall, and remote access settings
  • Implement network segmentation monitoring to detect lateral movement originating from router devices
  • Regularly audit firmware versions across all DrayTek devices in the environment to ensure patch compliance

How to Mitigate CVE-2024-51138

Immediate Actions Required

  • Immediately update all affected DrayTek Vigor routers to the latest firmware version available from DrayTek
  • Disable TR069 service on routers if not required for legitimate ISP or administrative management purposes
  • Restrict access to router management interfaces to trusted internal networks only using firewall rules
  • Audit current router configurations for signs of compromise before and after patching
  • Implement network segmentation to limit the potential impact of a compromised router

Patch Information

DrayTek has released firmware updates addressing this vulnerability across all affected product lines. Administrators should obtain the latest firmware from the DrayTek official website and apply updates following the manufacturer's recommended upgrade procedures. Verify firmware integrity using provided checksums before installation.

For detailed technical information about this and related DrayTek vulnerabilities, refer to the Medium Advisory on DrayTek Vulnerabilities.

Workarounds

  • Disable the TR069 service if remote management via this protocol is not required: Navigate to System Maintenance → TR-069 and disable the service
  • Block external access to TR069 ports (typically TCP 7547, 5060, and related STUN ports) at the network perimeter
  • Enable access control lists (ACLs) to restrict management interface access to specific trusted IP addresses only
  • If TR069 must remain enabled, configure it to only accept connections from known ISP management server IP addresses
bash
# Example firewall rule to block external TR069 access (apply at perimeter firewall)
# Block inbound TR069/STUN traffic from untrusted sources
iptables -A INPUT -p tcp --dport 7547 -j DROP
iptables -A INPUT -p tcp --dport 5060 -j DROP
iptables -A INPUT -p udp --dport 5060 -j DROP

# Restrict router management to internal network only
iptables -A INPUT -p tcp --dport 443 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeBuffer Overflow
  • Vendor/TechDraytek
  • SeverityCRITICAL
  • CVSS Score9.8
  • EPSS Probability7.33%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-121
  • Technical References
  • DrayTek Homepage
  • Medium Advisory on DrayTek Vulnerabilities
  • Related CVEs
  • CVE-2024-41592: DrayTek Vigor Buffer Overflow Flaw
  • CVE-2024-51139: Draytek Vigor Buffer Overflow Vulnerability
  • CVE-2022-32548: Draytek Vigor3910 Buffer Overflow Flaw
  • CVE-2026-3040: Draytek Vigor300b Firmware RCE Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English