A format string vulnerability has been discovered, which could potentially allow an unauthenticated attacker to execute arbitrary code. DrayTek has promptly addressed this issue and released new firmwares that include security update.
| Model | Fixed Firmware Version |
|---|---|
| Vigor1000B | 4.3.2.4 |
| Vigor165 | 4.2.5 |
| Vigor166 | 4.2.5 |
| Vigor2620 LTE | 3.9.8.4 |
| VigorLTE 200n | 3.9.8.4 |
| Vigor2133 | 3.9.6.6 |
| Vigor2135 | 4.4.3 |
| Vigor2762 | 3.9.6.6 |
| Vigor2763 | 4.4.3 |
| Vigor2765 | 4.4.3 |
| Vigor2766 | 4.4.3 |
| Vigor2832 | 3.9.7 |
| Vigor2860 / 2860 LTE | 3.9.5 |
| Vigor2862 / 2862 LTE | 3.9.9.2 |
| Vigor2865 / 2865 LTE | 4.4.3.1 |
| Vigor2866 / 2866 LTE | 4.4.3 |
| Vigor2925 / 2925 LTE | 3.9.5 |
| Vigor2926 / 2926 LTE | 3.9.9.2 |
| Vigor2927 / 2927 LTE | 4.4.3 |
| Vigor2952 / 2952P | 3.9.8 |
| Vigor2962 Series | 4.3.2.4 |
| Vigor3220 | 3.9.8 |
| Vigor3910 | 4.3.2.4 |
We would like to express our appreciation to the CataLpa from Dbappsecurity Co. Ltd. for their efficient testing and timely reporting.
Should you have any security-related inquiry regarding one of our products, please contact DrayTek Technical Support.