CVE-2024-46552 – A buffer overflow vulnerability in Draytek Vigo... (How to Fix)

Q: What is the severity of CVE-2024-46552?

CVE-2024-46552 has a CVSS score of 7.5 (HIGH). A buffer overflow vulnerability in Draytek Vigor 3910 routers allows attackers to cause Denial of Service (DoS) by sending crafted input to the sStRtMskShow parameter. This affects organizations using Draytek Vigor 3910 routers with vulnerable firmware versions. The vulnerability is exploitable remotely without authentication.

📋 TL;DR

A buffer overflow vulnerability in Draytek Vigor 3910 routers allows attackers to cause Denial of Service (DoS) by sending crafted input to the sStRtMskShow parameter. This affects organizations using Draytek Vigor 3910 routers with vulnerable firmware versions. The vulnerability is exploitable remotely without authentication.

💻 Affected Systems

Products:

Draytek Vigor 3910

Versions: v4.3.2.6 and likely earlier versions

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations are vulnerable as the affected CGI endpoint is typically accessible.

📦 What is this software?

Vigor3910 Firmware by Draytek

View all CVEs affecting Vigor3910 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete router crash requiring physical reboot, extended network downtime, and potential for remote code execution if the overflow can be controlled precisely.

🟠

Likely Case

Router becomes unresponsive, requiring reboot and causing temporary network disruption for connected users and services.

🟢

If Mitigated

Limited impact if routers are behind firewalls with strict inbound filtering, though internal threats remain.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Buffer overflow in web interface parameter suggests straightforward exploitation via HTTP requests.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check Draytek website for firmware updates. 2. Download latest firmware. 3. Upload via web admin interface. 4. Reboot router after update.

🔧 Temporary Workarounds

Restrict Access to Web Interface

all

Limit access to router's web administration interface to trusted IP addresses only.

Configure firewall rules to allow only specific source IPs to TCP ports 80/443 on router

Disable Remote Administration

all

Turn off remote administration features if not required.

Login to router admin > System Maintenance > Remote Management > Disable

🧯 If You Can't Patch

Place router behind additional firewall with strict inbound filtering
Monitor router logs for unusual HTTP requests to ipstrt.cgi

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router web interface under System Status > Firmware Information

Check Version:

curl -k https://router-ip/cgi-bin/status.cgi | grep Firmware

Verify Fix Applied:

Verify firmware version is newer than v4.3.2.6 after update

📡 Detection & Monitoring

Log Indicators:

HTTP requests to /cgi-bin/ipstrt.cgi with unusual parameter values
Router crash/reboot events in system logs

Network Indicators:

HTTP POST requests to router IP with sStRtMskShow parameter containing long strings

SIEM Query:

source="router_logs" AND (uri="/cgi-bin/ipstrt.cgi" OR message="reboot" OR message="crash")

📊 Metadata

CVE ID: CVE-2024-46552

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-120

Published: September 18, 2024

Last Updated: March 17, 2025

🔗 References

https://ink-desk-28f.notion.site/Draytek-vigor-3910-Analysis-Report-b3b23e150c4f4bab822c3c47fd7b9de9#53ad238cc1af41f7a32b29260f7274ec Permissions Required

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-46552, you might also want to check these: