CVE-2024-41585

EUVD-2024-39082
DrayTek Vigor3910 devices through 4.3.2.6 are affected by an OS command injection vulnerability that allows an attacker to leverage the recvCmd binary to escape from the emulated instance and inject arbitrary commands into the host machine.
OS Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.8 MEDIUM
ADJACENT_NETWORK
LOW
HIGH
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 41%
Affected Products (NVD)
VendorProductVersion
draytekvigor3910_firmware
𝑥
≤ 4.3.2.6
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
draytekvigor3910_firmware
𝑥
≤ 4.3.2.6
ADP
Common Weakness Enumeration
References
https://www.forescout.com/resources/draybreak-draytek-research/
https://www.forescout.com/resources/draytek14-vulnerabilities