Broadband providers have been reporting a large number of disconnections which has been identified as DrayTek router users. ISPreview has been reporting on the issues and there may be a link to security vulnerabilities in DrayTek routers identified some weeks back.
The vulnerabilities are knows as follows (see Draytek site for more information): –
- CVE-2024-51138: TR069 STUN server buffer overflow.
- CVE-2024–51139: CGI POST integer overflow.
The issue was reported to DrayTek in early October and firmware fixes were released around November 2024. This is a good lesson to keep up to date with firmware even if there’s no vulnerability known.
Affected products: –
| Model | Firmware Version |
|---|---|
| Vigor2620 LTE | 3.9.9.1 or later |
| VigorLTE 200n | 3.9.9.1 or later |
| Vigor2133 | 3.9.9.2 or later |
| Vigor2135 | 4.4.5.5 or later |
| Vigor2762 | 3.9.9.2 or later |
| Vigor2765 | 4.4.5.5 or later |
| Vigor2766 | 4.4.5.5 or later |
| Vigor2832 | 3.9.9.2 or later |
| Vigor2860 / 2860 LTE | 3.9.8.3 or later |
| Vigor2862 / 2862 LTE | 3.9.9.8 or later |
| Vigor2865 / 2865 LTE / 2865L-5G | 4.4.5.8 or later |
| Vigor2866 / 2866 LTE | 4.4.5.8 or later |
| Vigor2925 / 2925 LTE | 3.9.8.3 or later |
| Vigor2926 / 2926 LTE | 3.9.9.8 or later |
| Vigor2927 / 2927 LTE / 2927L-5G | 4.4.5.8 or later |
| Vigor2962 | 4.3.2.9 or later 4.4.3.2 or later |
| Vigor3910 | 4.3.2.9 or later 4.4.3.2 or later |
| Vigor3912 | 4.3.6.2 or later 4.4.3.2 or later |
Due to the number of users trying to upgrade their routers at the same time, Draytek’s own website has been struggling and been unavailable some of today; we have set up a mirror of the firmware launched recently (originally from DrayTek) on mirror.thinkbroadband.com/draytek in case readers are struggling to get hold of updates files. Please note that we do not provide any warranty on these and would advise you to use Draytek’s own site if possible, where they also publish checksums for files along with release notes. Always take a backup of your configuration. These updates do include routers which are officially ‘end of life’ which is great to see.
I’ve just checked mine and thankfully the “critical” element only applies to the Wifi enabled router, and not the type without Wifi. The non Wifi router is “apply this firmware at your convivence”
Thank You, I was in the middle of trying to find out what the blimmin ‘eck was going on with our internet, when I read this, firmware update fixed our disconnections issue 🙂