Expired

Security Advisory: Cross-Site Scripting, Denial of Service and Remote Code execution vulnerabilities (CVE-2024-41583 ~ CVE-2024-41596)

Expired
4th October 2024

On June 20th, we identified multiple vulnerabilities, and we have promptly addressed this issues and released corresponding firmware updates that include necessary security enhancements. These vulnerabilities are listed under CVE-2024-41583 to CVE-2024-41596.

If you haven't upgraded yet, please do so immediately. Before updating,back up your current configuration (System Maintenance > Config Backup) in case you need to restore it later. Be sure to upggrade with the ".ALL" file to avoid wiping the previous settings. If upgrading from much older firmware version, review the release notes carefully for any upgrading instructions.

If remote access is enabled on your router, disable it unless necessary, and use an access control list (ACL) and enable 2FA if possible. If your Router is not running patched firmware (see table below), disable both remote access (admin) and SSL VPN. Due to ACL doesn't apply to SSL VPN (Port 443) so you should also temporarily disable SSL VPN until you've upgraded. New firmwares with security updates for these vulnerabilities are listed below.

Affected Products

ModelFixed Firmware Version
Vigor165 4.2.7
Vigor166 4.2.7
Vigor2133 3.9.9
Vigor2135 4.4.5.3
Vigor2620 LTE 3.9.8.9
Vigor2762 3.9.9
Vigor2763 4.4.5.3
Vigor2765 4.4.5.3
Vigor2766 4.4.5.3
Vigor2832 3.9.9
Vigor2860 / 2860 LTE 3.9.8
Vigor2862 / 2862 LTE 3.9.9.5
Vigor2865 / 2865 LTE 4.4.5.2
Vigor2866 / 2866 LTE 4.4.5.2
Vigor2915 4.4.3.2
Vigor2925 / 2925 LTE 3.9.8
Vigor2926 / 2926 LTE 3.9.9.5
Vigor2927 / 2927 LTE / 2927L-5G 4.4.5.5
Vigor2952 / 2952 LTE 3.9.8.2
Vigor3220n 3.9.8.2
Vigor2962 4.3.2.8
4.4.3.1
Vigor3910 4.3.2.8
4.4.3.1
Vigor3912 4.3.6.1

*Firmware unreleased