Home > About > Security Advisory >

Format string vulnerability (CVE-2023-31447)

Released Date: 2023-08-23

A format string vulnerability has been discovered, which could potentially allow an unauthenticated attacker to execute arbitrary code. DrayTek has promptly addressed this issue and released new firmwares that include security update.

Affected Products

Model Fixed Firmware Version
Vigor1000B 4.3.2.4
Vigor165 4.2.5
Vigor166 4.2.5
Vigor2620 LTE 3.9.8.4
VigorLTE 200n 3.9.8.4
Vigor2133 3.9.6.6
Vigor2135 4.4.3
Vigor2762 3.9.6.6
Vigor2763 4.4.3
Vigor2765 4.4.3
Vigor2766 4.4.3
Vigor2832 3.9.7
Vigor2860 / 2860 LTE 3.9.5
Vigor2862 / 2862 LTE 3.9.9.2
Vigor2865 / 2865 LTE 4.4.3.1
Vigor2866 / 2866 LTE 4.4.3*
Vigor2925 / 2925 LTE 3.9.5
Vigor2926 / 2926 LTE 3.9.9.2
Vigor2927 / 2927 LTE 4.4.3
Vigor2952 / 2952P 3.9.8
Vigor2962 Series 4.3.2.4
Vigor3220 3.9.8
Vigor3910 4.3.2.4

*Firmware unreleased

Recognizing Contribution

We would like to express our appreciation to the CataLpa from Dbappsecurity Co. Ltd. for their efficient testing and timely reporting.

Contact Technical Support

Should you have any security-related inquiry regarding one of our products, please contact DrayTek Technical Support.