Security Advisory: Denial of Service, Information Disclosure, and Code Execution Vulnerabilities
ExpiredModels Affected: See table below
Priority: Critical
Action Required: Check firmware version on units and upgrade immediately
We were recently informed about the multiple vulnerability of routers to buffer overflow and other listed issues listed below. Our engineers have released a firmware patch that improves the security of your device. Install the new firmware version as soon as possible to secure the following:
- CVE-2024-41334: Missing SSL certificate validation for APP Enforcement signature updates.
- CVE-2024–41335: Non-constant time password comparison.
- CVE-2024–41336: Insecure password storage.
- CVE-2024–41338: DHCP server NULL pointer dereference.
- CVE-2024-41339: Undocumented kernel module installation through CGI configuration endpoint.
- CVE-2024–41340: APP Enforcement signature update allows arbitrary kernel module installation.
Firmware versions including fixes for the vulnerabilities were released around Aug-Oct 2024 (depending on model), but we are publishing this advisory to encourage users to check the firmware version they are running. Please check here to download, and upgrade the firmware per model as soon as possible to ensure the security of your system.
If you have not already upgraded, update your firmware immediately. Before doing the upgrade, take a backup of your current config in case you need to restore it later [System Maintenance] > [Config Backup]. Do use the .ALL file to upgrade, otherwise you will wipe your router settings. If you are upgrading from a much older firmware, then please check the release notes carefully for any upgrading instructions.
| Model | Firmware |
| Vigor 166 | 4.2.7 or later |
| Vigor 2620Ln | 3.9.8.9 or later |
| Vigor 2135ax | 4.4.5.1 or later |
| Vigor 2762 Series | 3.9.9 or later |
| Vigor 2765 Series | 4.4.5.1 or later |
| Vigor 2766 Series | 4.4.5.1 or later |
| Vigor 2832 Series | 3.9.9 or later |
| Vigor 2860 Series | 3.9.8 or later |
| Vigor 2862 Series | 3.9.9.5 or later |
| Vigor 2865 Series | 4.4.5.3 or later |
| Vigor 2866 Series | 4.4.5.3 or later |
| Vigor 2925 Series | 3.9.8 or later |
| Vigor 2926 Series | 3.9.9.5 or later |
| Vigor 2927 Series | 4.4.5.3 or later |
| Vigor 2962 | 4.3.2.8 or later (Stable branch) |
| Vigor 2962 | 4.4.3.1 or later (Mainline branch) |
| Vigor 3910 | 4.3.2.8 or later (Stable branch) |
| Vigor 3910 | 4.4.3.1 or later (Mainline branch) |
| Vigor 3912 | 4.4.3.2 or later |
We sincerely appreciate the Faraday Security Research team for their efforts in security testing and timely reporting the vulnerability, which help enhance our security measures.